../data/rfc/rfc1399.txt-provides information for the Internet community. It does not specify an ../data/rfc/rfc1399.txt-Internet standard. ../data/rfc/rfc1399.txt- ../data/rfc/rfc1399.txt- ../data/rfc/rfc1399.txt-1346 Jones Jun 92 Resource Allocation, Control, and ../data/rfc/rfc1399.txt: Accounting for the Use of Network ../data/rfc/rfc1399.txt- Resources ../data/rfc/rfc1399.txt- ../data/rfc/rfc1399.txt-The purpose of this RFC is to focus discussion on particular challenges ../data/rfc/rfc1399.txt-in large service networks in general, and the International IP Internet ../data/rfc/rfc1399.txt-in particular. No solution discussed in this document is intended as a -- ../data/rfc/rfc2896.txt- ../data/rfc/rfc2896.txt-radiusacct PROTOCOL-IDENTIFIER ../data/rfc/rfc2896.txt- PARAMETERS { } ../data/rfc/rfc2896.txt- ATTRIBUTES { } ../data/rfc/rfc2896.txt- DESCRIPTION ../data/rfc/rfc2896.txt: "RADIUS Accounting Protocol" ../data/rfc/rfc2896.txt- REFERENCE ../data/rfc/rfc2896.txt: "RFC 2139 [RFC2139] defines the Radius Accounting protocol." ../data/rfc/rfc2896.txt- ::= { udp 1813 } ../data/rfc/rfc2896.txt- ../data/rfc/rfc2896.txt- -- ../data/rfc/rfc2896.txt- -- Portmapper Functions; Children of sunrpc ../data/rfc/rfc2896.txt- -- -- ../data/rfc/rfc2896.txt- ../data/rfc/rfc2896.txt- [RFC2138] Rigney, C., Rubens, A., Simpson, W. and W. Willens, ../data/rfc/rfc2896.txt- "Remote Authentication Dial In User Service (RADIUS)", RFC ../data/rfc/rfc2896.txt- 2138, April 1997. ../data/rfc/rfc2896.txt- ../data/rfc/rfc2896.txt: [RFC2139] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2896.txt- ../data/rfc/rfc2896.txt- [RFC2145] Mogul, J., Fielding, R., Gettys, J. and H. Frystyk, "Use ../data/rfc/rfc2896.txt- and interpretation of HTTP version numbers", RFC 2145, May ../data/rfc/rfc2896.txt- 1997. ../data/rfc/rfc2896.txt- -- ../data/rfc/rfc699.txt- ../data/rfc/rfc699.txt-673 Not Issued ../data/rfc/rfc699.txt- ../data/rfc/rfc699.txt-672 Schantz 6 Dec 74 A Multi-Site Data Collection Facility ../data/rfc/rfc699.txt- ../data/rfc/rfc699.txt: Applicability of TIP/TENEX protocols beyond TIP accounting. ../data/rfc/rfc699.txt- ../data/rfc/rfc699.txt-671 Schantz 6 Dec 74 A Note on Reconnection Protocol ../data/rfc/rfc699.txt- ../data/rfc/rfc699.txt- Experience with implementation in RSEXEC context. ../data/rfc/rfc699.txt- -- ../data/rfc/rfc75.txt-8:00 p.m. on Monday, November 16, 1970. ../data/rfc/rfc75.txt- ../data/rfc/rfc75.txt-The purpose of this meeting is to discuss several topics related to ../data/rfc/rfc75.txt-the practical use of the network. I have in mind: ../data/rfc/rfc75.txt- ../data/rfc/rfc75.txt: (a) accounting mechanisms ../data/rfc/rfc75.txt- ../data/rfc/rfc75.txt- (b) documentation distribution ../data/rfc/rfc75.txt- ../data/rfc/rfc75.txt- (c) person-to-person message sending and message storing ../data/rfc/rfc75.txt- -- ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt-5. IANA Considerations ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt- This specification allocates a new AVP code Redirect-Realm (620) in ../data/rfc/rfc7075.txt- the "AVP Codes" registry under "Authentication, Authorization, and ../data/rfc/rfc7075.txt: Accounting (AAA) Parameters". ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt- This specification allocates a new Result-Code value ../data/rfc/rfc7075.txt- DIAMETER_REALM_REDIRECT_INDICATION (3011) in the "Result-Code AVP ../data/rfc/rfc7075.txt- Values (code 268) - Protocol Errors" registry under "Authentication, ../data/rfc/rfc7075.txt: Authorization, and Accounting (AAA) Parameters". ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt- ../data/rfc/rfc7075.txt-Tsou, et al. Standards Track [Page 8] -- ../data/rfc/rfc129.txt-identified for message traffic routing from an NCP. In ../data/rfc/rfc129.txt-the past it has been said that users can be mobile, i.e., ../data/rfc/rfc129.txt-log on from different sites, and thus it is the user that ../data/rfc/rfc129.txt-needs identification. In many typical on-line systems the ../data/rfc/rfc129.txt-user first requests a service and then identifies himself ../data/rfc/rfc129.txt:to the service for purposes of accounting, etc. User IDs ../data/rfc/rfc129.txt-can be transmitted after requesting a service and can thus ../data/rfc/rfc129.txt-be elevated above the meaning of socket names. ../data/rfc/rfc129.txt- A program might typically associate the terminals, for ../data/rfc/rfc129.txt-which it is an agent, with the variable part of the identi- ../data/rfc/rfc129.txt-fier, i.e., the particular connection(s). For example, -- ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt-1. Introduction ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- Network Management is often divided into the five main areas defined ../data/rfc/rfc7326.txt- in the ISO Telecommunications Management Network model: Fault, ../data/rfc/rfc7326.txt: Configuration, Accounting, Performance, and Security Management ../data/rfc/rfc7326.txt- (FCAPS) [X.700]. Not covered by this traditional management model is ../data/rfc/rfc7326.txt- Energy Management, which is rapidly becoming a critical area of ../data/rfc/rfc7326.txt- concern worldwide, as seen in [ISO50001]. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- This document defines an Energy Management framework for devices -- ../data/rfc/rfc7326.txt- procedures indicating that there should exist multiple ../data/rfc/rfc7326.txt- computerized systems that will poll energy measurements from ../data/rfc/rfc7326.txt- their meters and pricing / source data from their local ../data/rfc/rfc7326.txt- utility. Company A specifies that their CFO (Chief Financial ../data/rfc/rfc7326.txt- Officer) should collect information and summarize it quarterly ../data/rfc/rfc7326.txt: to be sent to an accounting firm to produce carbon accounting ../data/rfc/rfc7326.txt- reporting as required by their local government. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- 3. For the purposes of EMAN, the definition herein is the ../data/rfc/rfc7326.txt- preferred meaning of an EnMS. The definition from [ISO50001] ../data/rfc/rfc7326.txt- can be referred to as an ISO Energy Management System -- ../data/rfc/rfc7326.txt- keywords. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- An Energy Object can provide a set of keywords that is a list of tags ../data/rfc/rfc7326.txt- that can be used for grouping, summary reporting (within or between ../data/rfc/rfc7326.txt- Energy Management Domains), and searching. Potential examples are ../data/rfc/rfc7326.txt: IT, lobby, HumanResources, Accounting, StoreRoom, CustomerSpace, ../data/rfc/rfc7326.txt- router, phone, floor2, or SoftwareLab. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- The specifics of how this tag is represented are left to the MIB ../data/rfc/rfc7326.txt- module or other object definition documents to be based on this ../data/rfc/rfc7326.txt- framework. -- ../data/rfc/rfc7326.txt-Parello, et al. Informational [Page 39] ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt-RFC 7326 EMAN Framework September 2014 ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt: authorization, audit, and accounting principles to facilitate ../data/rfc/rfc7326.txt- investigations (compromise or benign misconfigurations) or any ../data/rfc/rfc7326.txt- reporting requirements. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- The information and control capabilities specified in this framework ../data/rfc/rfc7326.txt- could be exploited, to the detriment of a site or deployment. -- ../data/rfc/rfc7326.txt- o Unauthorized changes to a Power State will disrupt the power ../data/rfc/rfc7326.txt- settings of the different devices and therefore the state of ../data/rfc/rfc7326.txt- functionality of the respective devices. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- o Unauthorized changes to the demand history will disrupt proper ../data/rfc/rfc7326.txt: accounting of energy usage. ../data/rfc/rfc7326.txt- ../data/rfc/rfc7326.txt- With respect to data transport, SNMP versions prior to SNMPv3 did not ../data/rfc/rfc7326.txt- include adequate security. Even if the network itself is secure (for ../data/rfc/rfc7326.txt- example, by using IPsec), there is still no secure control over who ../data/rfc/rfc7326.txt- on the secure network is allowed to access and GET/SET -- ../data/rfc/rfc1662.txt-Simpson [Page 11] ../data/rfc/rfc1662.txt-RFC 1662 HDLC-like Framing July 1994 ../data/rfc/rfc1662.txt- ../data/rfc/rfc1662.txt- ../data/rfc/rfc1662.txt- mark idle (continuous ones), particularly those that calculate ../data/rfc/rfc1662.txt: accounting based on periods of bit activity. When mark idle is used ../data/rfc/rfc1662.txt- on a bit-synchronous link, the implementation MUST ensure at least 15 ../data/rfc/rfc1662.txt- consecutive "1" bits between Flags during the idle period, and that ../data/rfc/rfc1662.txt- the Flag Sequence is always generated at the beginning of a frame ../data/rfc/rfc1662.txt- after an idle period. ../data/rfc/rfc1662.txt- -- ../data/rfc/rfc7678.txt- enumerates the information that needs to be provisioned on a customer ../data/rfc/rfc7678.txt- edge router to support a list of transition techniques based on ../data/rfc/rfc7678.txt- tunneling IPv4 in IPv6, with a view to defining reusable components ../data/rfc/rfc7678.txt- for a reasonable transition path between these techniques. To the ../data/rfc/rfc7678.txt- extent that the provisioning is done dynamically, Authentication, ../data/rfc/rfc7678.txt: Authorization, and Accounting (AAA) support is needed to provide the ../data/rfc/rfc7678.txt- information to the network server responsible for passing the ../data/rfc/rfc7678.txt- information to the customer equipment. This document specifies ../data/rfc/rfc7678.txt- Diameter (RFC 6733) Attribute-Value Pairs (AVPs) to be used for that ../data/rfc/rfc7678.txt- purpose. ../data/rfc/rfc7678.txt- -- ../data/rfc/rfc7678.txt- Each technique requires the provisioning of some subscriber-specific ../data/rfc/rfc7678.txt- information on the customer edge device. The provisioning may be by ../data/rfc/rfc7678.txt- DHCPv6 [RFC3315] or by some other method. This document is ../data/rfc/rfc7678.txt- indifferent to the specific provisioning technique used but assumes a ../data/rfc/rfc7678.txt- deployment in which that information is managed by AAA ../data/rfc/rfc7678.txt: (Authentication, Authorization, and Accounting) servers. It further ../data/rfc/rfc7678.txt- assumes that this information is delivered to intermediate network ../data/rfc/rfc7678.txt- nodes for onward provisioning using the Diameter protocol [RFC6733]. ../data/rfc/rfc7678.txt- ../data/rfc/rfc7678.txt- As described below, in the particular case where the Lightweight ../data/rfc/rfc7678.txt- 4over6 (lw4o6) [RFC7596] transition method has been deployed, per- -- ../data/rfc/rfc4818.txt-Salowey & Droms Standards Track [Page 3] ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt-RFC 4818 Delegated-IPv6-Prefix Attribute April 2007 ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt: The Delegated-IPv6-Prefix attribute MAY appear in an Accounting- ../data/rfc/rfc4818.txt- Request packet. ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- The Delegated-IPv6-Prefix MUST NOT appear in any other RADIUS ../data/rfc/rfc4818.txt- packets. ../data/rfc/rfc4818.txt- -- ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc4818.txt- in which kinds of packets, and in what quantity. ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- +-------------------------------------------------------------------+ ../data/rfc/rfc4818.txt: | Request Accept Reject Challenge Accounting # Attribute | ../data/rfc/rfc4818.txt- | Request | ../data/rfc/rfc4818.txt- | 0+ 0+ 0 0 0+ 123 Delegated-IPv6- | ../data/rfc/rfc4818.txt- | Prefix | ../data/rfc/rfc4818.txt- +-------------------------------------------------------------------+ ../data/rfc/rfc4818.txt- -- ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt-RFC 4818 Delegated-IPv6-Prefix Attribute April 2007 ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- The text in this specification describing the applicability of the ../data/rfc/rfc4818.txt: Delegated-IPv6-Prefix attribute for RADIUS Accounting-Request applies ../data/rfc/rfc4818.txt: to Diameter Accounting-Request [6] as well. ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- The AVP flag rules [5] for the Delegated-IPv6-Prefix attribute are: ../data/rfc/rfc4818.txt- ../data/rfc/rfc4818.txt- +---------------------+ ../data/rfc/rfc4818.txt- | AVP Flag rules | -- ../data/rfc/rfc6374.txt- o The LM protocol can perform two distinct kinds of loss ../data/rfc/rfc6374.txt- measurement: it can measure the loss of specially generated test ../data/rfc/rfc6374.txt- messages in order to infer the approximate data-plane loss level ../data/rfc/rfc6374.txt- (inferred measurement) or it can directly measure data-plane ../data/rfc/rfc6374.txt- packet loss (direct measurement). Direct measurement provides ../data/rfc/rfc6374.txt: perfect loss accounting, but may require specialized hardware ../data/rfc/rfc6374.txt- support and is only applicable to some LSP types. Inferred ../data/rfc/rfc6374.txt: measurement provides only approximate loss accounting but is ../data/rfc/rfc6374.txt- generally applicable. ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- -- ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt-RFC 6374 MPLS Loss and Delay Measurement September 2011 ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- Direct LM has the advantage of being able to provide perfect loss ../data/rfc/rfc6374.txt: accounting when it is available. There are, however, several ../data/rfc/rfc6374.txt- constraints associated with direct LM. ../data/rfc/rfc6374.txt- ../data/rfc/rfc6374.txt- For accurate direct LM to occur, packets must not be sent between the ../data/rfc/rfc6374.txt- time the transmit count for an outbound LM message is determined and ../data/rfc/rfc6374.txt- the time the message is actually transmitted. Similarly, packets -- ../data/rfc/rfc8921.txt- solicits features supported by the following functional blocks: ../data/rfc/rfc8921.txt- ../data/rfc/rfc8921.txt- * Network provisioning (including order activation, Network ../data/rfc/rfc8921.txt- Planning, etc.) ../data/rfc/rfc8921.txt- ../data/rfc/rfc8921.txt: * Authentication, authorization, and accounting (AAA) ../data/rfc/rfc8921.txt- ../data/rfc/rfc8921.txt- * Network and service management (performance measurement and ../data/rfc/rfc8921.txt- assessment, fault detection, etc.) ../data/rfc/rfc8921.txt- ../data/rfc/rfc8921.txt- * Sales-related functional blocks (e.g., billing, invoice -- ../data/rfc/rfc4988.txt- ../data/rfc/rfc4988.txt- [rfc2131] Droms, R., "Dynamic Host Configuration Protocol", RFC ../data/rfc/rfc4988.txt- 2131, March 1997. ../data/rfc/rfc4988.txt- ../data/rfc/rfc4988.txt- [rfc3957] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc4988.txt: Authorization, and Accounting (AAA) Registration Keys ../data/rfc/rfc4988.txt- for Mobile IPv4", RFC 3957, March 2005. ../data/rfc/rfc4988.txt- ../data/rfc/rfc4988.txt- ../data/rfc/rfc4988.txt- ../data/rfc/rfc4988.txt- -- ../data/rfc/rfc8583.txt- information to non-peer nodes requires a transitive-trust model. ../data/rfc/rfc8583.txt- ../data/rfc/rfc8583.txt-9. IANA Considerations ../data/rfc/rfc8583.txt- ../data/rfc/rfc8583.txt- IANA has registered three new AVP codes in the "Authentication, ../data/rfc/rfc8583.txt: Authorization, and Accounting (AAA) Parameters" registry; see ../data/rfc/rfc8583.txt- Sections 7.1, 7.2, and 7.3. ../data/rfc/rfc8583.txt- ../data/rfc/rfc8583.txt- ../data/rfc/rfc8583.txt- ../data/rfc/rfc8583.txt-Campbell, et al. Standards Track [Page 16] -- ../data/rfc/rfc436.txt-supports a subset of the Remote Job Entry Protocol of RFC #407. This ../data/rfc/rfc436.txt-document includes enough information to allow the user to gain access ../data/rfc/rfc436.txt-to, and use the more basic function of UCSB's RJS. An RFC containing ../data/rfc/rfc436.txt-more detailed documentation will be forthcoming shortly. ../data/rfc/rfc436.txt- ../data/rfc/rfc436.txt: The accounting parameters needed to login to RJS are a userid and a ../data/rfc/rfc436.txt-password, each consisting of one to eight alphameric characters, the ../data/rfc/rfc436.txt-first of which must be alphabetic. The userid is, at present, ../data/rfc/rfc436.txt-completely arbitrary. The password is arbitrary the first time it is ../data/rfc/rfc436.txt-used with a particular userid; in subsequent logins with that userid, ../data/rfc/rfc436.txt-the same password must appear. Eventually, users will be assigned -- ../data/rfc/rfc6813.txt- ../data/rfc/rfc6813.txt- The NEA Asokan Attack is a variation on an attack described in a 2002 ../data/rfc/rfc6813.txt- paper written by Asokan, Niemi, and Nyberg [1]. Figure 1 depicts one ../data/rfc/rfc6813.txt- version of the original Asokan attack. This attack involves tricking ../data/rfc/rfc6813.txt- an authorized user into authenticating to a decoy Authentication, ../data/rfc/rfc6813.txt: Authorization, and Accounting (AAA) server, which forwards the ../data/rfc/rfc6813.txt- authentication protocol from one tunnel to another, tricking the real ../data/rfc/rfc6813.txt- AAA server into believing these messages originated from the ../data/rfc/rfc6813.txt- attacker-controlled machine. As a result, the real AAA server grants ../data/rfc/rfc6813.txt- access to the attacker-controlled machine. ../data/rfc/rfc6813.txt- -- ../data/rfc/rfc3689.txt- access to emergency telecommunications services. Any mechanism ../data/rfc/rfc3689.txt- for providing such authorization beyond closed private networks ../data/rfc/rfc3689.txt- SHOULD meet IETF Security Area criterion (e.g., clear-text ../data/rfc/rfc3689.txt- passwords would not generally be acceptable). Authorization ../data/rfc/rfc3689.txt- protects network resources from excessive use, from abuse, and ../data/rfc/rfc3689.txt: might also support billing and accounting for the offered service. ../data/rfc/rfc3689.txt- ../data/rfc/rfc3689.txt- Such authorization mechanisms SHOULD be flexible enough to provide ../data/rfc/rfc3689.txt- various levels of restriction and authorization depending on the ../data/rfc/rfc3689.txt- expectations of a particular service or customer. ../data/rfc/rfc3689.txt- -- ../data/rfc/rfc3689.txt- not specify solutions nor is it to be confused with requirements. ../data/rfc/rfc3689.txt- Subsequent documents that articulate a more specific set of ../data/rfc/rfc3689.txt- requirements for a particular service may make a statement about the ../data/rfc/rfc3689.txt- following issues. ../data/rfc/rfc3689.txt- ../data/rfc/rfc3689.txt: 1) Accounting ../data/rfc/rfc3689.txt- ../data/rfc/rfc3689.txt: Accounting represents a method of tracking actual usage of a ../data/rfc/rfc3689.txt- service. We assume that the usage of any service better than best ../data/rfc/rfc3689.txt- effort will be tracked and subsequently billed to the user. ../data/rfc/rfc3689.txt: Accounting is not addressed as a general requirement for ETS. ../data/rfc/rfc3689.txt- However, solutions used to realize ETS should not preclude an ../data/rfc/rfc3689.txt: accounting mechanism. ../data/rfc/rfc3689.txt- ../data/rfc/rfc3689.txt- 2) Admission Control ../data/rfc/rfc3689.txt- ../data/rfc/rfc3689.txt- The requirements of section 3 discuss labels and security. Those ../data/rfc/rfc3689.txt- developing solutions should understand that the ability labels -- ../data/rfc/rfc6538.txt- other approaches was published in [MOBILITY-COMPARISON]. ../data/rfc/rfc6538.txt- ../data/rfc/rfc6538.txt-9. Security Considerations ../data/rfc/rfc6538.txt- ../data/rfc/rfc6538.txt- This document is an informational survey of HIP-related research and ../data/rfc/rfc6538.txt: experience. Space precludes a full accounting of all security issues ../data/rfc/rfc6538.txt- associated with the approaches surveyed here, but the individually ../data/rfc/rfc6538.txt- referenced documents may discuss security considerations for their ../data/rfc/rfc6538.txt- respective protocol component. HIP security considerations for the ../data/rfc/rfc6538.txt- base HIP protocol can be found in Section 8 of [RFC5201]. ../data/rfc/rfc6538.txt- -- ../data/rfc/rfc1391.txt- ../data/rfc/rfc1391.txt- For those who could not attend a meeting but would like a copy of the ../data/rfc/rfc1391.txt- Proceedings send a check for $35 (made payable to CNRI) to: ../data/rfc/rfc1391.txt- ../data/rfc/rfc1391.txt- Corporation for National Research Initiatives ../data/rfc/rfc1391.txt: Attn: Accounting Department - IETF Proceedings ../data/rfc/rfc1391.txt- 1895 Preston White Drive, Suite 100 ../data/rfc/rfc1391.txt- Reston, VA 22091 ../data/rfc/rfc1391.txt- ../data/rfc/rfc1391.txt- Please indicate which meeting Proceedings you would like to receive ../data/rfc/rfc1391.txt- by specifying the meeting date (e.g., July 1992) or meeting number -- ../data/rfc/rfc1010.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc1010.txt- 150 Xerox NS IDP [102,XEROX] ../data/rfc/rfc1010.txt- 151 Unassigned [JBP] ../data/rfc/rfc1010.txt- 152 PARC Universal Protocol [7,XEROX] ../data/rfc/rfc1010.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc1010.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc1010.txt- 155 Internet Protocol [regular] [80,JBP] ../data/rfc/rfc1010.txt- 156-158 Internet Protocol [experimental] [80,JBP] ../data/rfc/rfc1010.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc1010.txt- 160-194 Unassigned [JBP] ../data/rfc/rfc1010.txt- 195 ISO-IP [52,RXM] -- ../data/rfc/rfc2676.txt- it is also important for the algorithm to account for the amount of ../data/rfc/rfc2676.txt- resources the network has to allocate to support a new flow. In ../data/rfc/rfc2676.txt- general, the network prefers to select the "cheapest" path among all ../data/rfc/rfc2676.txt- paths suitable for a new flow, and it may even decide not to accept a ../data/rfc/rfc2676.txt- new flow for which a feasible path exists, if the cost of the path is ../data/rfc/rfc2676.txt: deemed too high. Accounting for these aspects involves several ../data/rfc/rfc2676.txt- metrics on which the path selection process is based. They include: ../data/rfc/rfc2676.txt- ../data/rfc/rfc2676.txt- - Link available bandwidth: As mentioned earlier, we currently ../data/rfc/rfc2676.txt- assume that most QoS requirements are derivable from a rate- ../data/rfc/rfc2676.txt- related quantity, termed "bandwidth." We further assume that -- ../data/rfc/rfc2676.txt- proceeds. For simplicity, we first describe the simpler case where ../data/rfc/rfc2676.txt- all edges count as "hops," and later explain how zero-hop edges are ../data/rfc/rfc2676.txt- handled. Zero-hop edges arise in the case of transit networks ../data/rfc/rfc2676.txt- vertices, where only one of the two incoming and outgoing edges ../data/rfc/rfc2676.txt- should be counted in the hop count computation, as they both ../data/rfc/rfc2676.txt: correspond to the same physical hop. Accounting for this aspect ../data/rfc/rfc2676.txt- requires distinguishing between network and router nodes, and the ../data/rfc/rfc2676.txt- steps involved are detailed later in this section as well as in the ../data/rfc/rfc2676.txt- pseudo-code of Appendix A. ../data/rfc/rfc2676.txt- ../data/rfc/rfc2676.txt- When the algorithm is invoked, the routing table is first initialized -- ../data/rfc/rfc5810.txt- Before the transition to the association phase, the FEM will have ../data/rfc/rfc5810.txt- established contact with a CEM component. Initialization of the ../data/rfc/rfc5810.txt- ForCES interface will have completed, and authentication as well as ../data/rfc/rfc5810.txt- capability discovery may be complete. Both the FE and CE would have ../data/rfc/rfc5810.txt- the necessary information for connecting to each other for ../data/rfc/rfc5810.txt: configuration, accounting, identification, and authentication ../data/rfc/rfc5810.txt- purposes. To summarize, at the completion of this stage both sides ../data/rfc/rfc5810.txt- have all the necessary protocol parameters such as timers, etc. The ../data/rfc/rfc5810.txt- Fl reference point may continue to operate during the association ../data/rfc/rfc5810.txt- phase and may be used to force a disassociation of an FE or CE. The ../data/rfc/rfc5810.txt- specific interactions of the CEM and the FEM that are part of the -- ../data/rfc/rfc3292.txt- information concerning a single connection. Each connection is ../data/rfc/rfc3292.txt- specified by its input port and Input Label which are specified in ../data/rfc/rfc3292.txt- the Input Port and Input Label fields of each Activity Record. ../data/rfc/rfc3292.txt- ../data/rfc/rfc3292.txt- Two forms of activity detection are supported. If the switch ../data/rfc/rfc3292.txt: supports per connection traffic accounting, the current value of the ../data/rfc/rfc3292.txt- traffic counter for each specified connection MUST be returned. The ../data/rfc/rfc3292.txt- units of traffic counted are not specified but will typically be ../data/rfc/rfc3292.txt- either cells or frames. The controller MUST compare the traffic ../data/rfc/rfc3292.txt- counts returned in the message with previous values for each of the ../data/rfc/rfc3292.txt- specified connections to determine whether each connection has been ../data/rfc/rfc3292.txt- active in the intervening period. If the switch does not support per ../data/rfc/rfc3292.txt: connection traffic accounting, but is capable of detecting per ../data/rfc/rfc3292.txt- connection activity by some other unspecified means, the result may ../data/rfc/rfc3292.txt- be indicated for each connection using the Flags field. The ../data/rfc/rfc3292.txt- Connection Activity message is: ../data/rfc/rfc3292.txt- ../data/rfc/rfc3292.txt- Message Type = 48 -- ../data/rfc/rfc5945.txt-RFC 5945 RSVP Proxy Approaches October 2010 ../data/rfc/rfc5945.txt- ../data/rfc/rfc5945.txt- ../data/rfc/rfc5945.txt- on-path admission control can be offered to VoD services over ../data/rfc/rfc5945.txt- broadband aggregation networks without network or VoD pump upgrade. ../data/rfc/rfc5945.txt: Those include accurate bandwidth accounting regardless of topology ../data/rfc/rfc5945.txt- (hub-and-spoke, ring, mesh, star, arbitrary combinations) and dynamic ../data/rfc/rfc5945.txt- adjustment to any change in topology (such as failure, routing ../data/rfc/rfc5945.txt- change, additional links, etc.). ../data/rfc/rfc5945.txt- ../data/rfc/rfc5945.txt-A.2. RSVP-Based Voice/Video Connection Admission Control (CAC) in -- ../data/rfc/rfc4821.txt- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc4821.txt- 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc4821.txt- 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 ../data/rfc/rfc4821.txt- 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc4821.txt- 5. Layering . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 ../data/rfc/rfc4821.txt: 5.1. Accounting for Header Sizes . . . . . . . . . . . . . . . 10 ../data/rfc/rfc4821.txt- 5.2. Storing PMTU Information . . . . . . . . . . . . . . . . . 11 ../data/rfc/rfc4821.txt: 5.3. Accounting for IPsec . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4821.txt- 5.4. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4821.txt- 6. Common Packetization Properties . . . . . . . . . . . . . . . 13 ../data/rfc/rfc4821.txt- 6.1. Mechanism to Detect Loss . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc4821.txt- 6.2. Generating Probes . . . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc4821.txt- 7. The Probing Method . . . . . . . . . . . . . . . . . . . . . . 14 -- ../data/rfc/rfc4821.txt- control state machines. ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt- Note that this layering approach is a direct extension of the advice ../data/rfc/rfc4821.txt- in the current PMTUD specifications in RFC 1191 and RFC 1981. ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt:5.1. Accounting for Header Sizes ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt- The way in which PLPMTUD operates across multiple layers requires a ../data/rfc/rfc4821.txt: mechanism for accounting header sizes at all layers between IP and ../data/rfc/rfc4821.txt- the Packetization Layer (inclusive). When transmitting non-probe ../data/rfc/rfc4821.txt- packets, it is sufficient for the Packetization Layer to ensure an ../data/rfc/rfc4821.txt- upper bound on final IP packet size, so as not to exceed the current ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt- -- ../data/rfc/rfc4821.txt- [RFC2460][RFC3697] as the local representation of a path. Such an ../data/rfc/rfc4821.txt- approach could theoretically result in the use of optimally sized ../data/rfc/rfc4821.txt- packets on a per-flow basis, providing finer granularity than MTU ../data/rfc/rfc4821.txt- values maintained on a per-destination basis. ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt:5.3. Accounting for IPsec ../data/rfc/rfc4821.txt- ../data/rfc/rfc4821.txt- This document does not take a stance on the placement of IP Security ../data/rfc/rfc4821.txt- (IPsec) [RFC2401], which logically sits between IP and the ../data/rfc/rfc4821.txt- Packetization Layer. A PLPMTUD implementation can treat IPsec either ../data/rfc/rfc4821.txt- as part of IP or as part of the Packetization Layer, as long as the ../data/rfc/rfc4821.txt: accounting is consistent within the implementation. If IPsec is ../data/rfc/rfc4821.txt- treated as part of the IP layer, then each security association to a ../data/rfc/rfc4821.txt- remote node may need to be treated as a separate path. If IPsec is ../data/rfc/rfc4821.txt- treated as part of the Packetization Layer, the IPsec header size ../data/rfc/rfc4821.txt- MUST be included in the Packetization Layer's header size ../data/rfc/rfc4821.txt- calculations. -- ../data/rfc/rfc7980.txt- ../data/rfc/rfc7980.txt-7.3. Network-External Dependencies ../data/rfc/rfc7980.txt- ../data/rfc/rfc7980.txt- Some dependencies are on elements outside the actual network, for ../data/rfc/rfc7980.txt- example, on an external NTP clock source or an Authentication, ../data/rfc/rfc7980.txt: Authorization, and Accounting (AAA) server. Again, a trade-off is ../data/rfc/rfc7980.txt- made: in the example of AAA used for login authentication, we reduce ../data/rfc/rfc7980.txt- the configuration (state) on each node (in particular, user-specific ../data/rfc/rfc7980.txt- configuration), but we add an external dependency on a AAA server. ../data/rfc/rfc7980.txt- In networks with many administrators, a AAA server is clearly the ../data/rfc/rfc7980.txt- only manageable way to track all administrators. But, it comes at -- ../data/rfc/rfc4284.txt- sent to the peer in an EAP-Request/Identity message by appending it ../data/rfc/rfc4284.txt- after the displayable message and a NUL character. ../data/rfc/rfc4284.txt- ../data/rfc/rfc4284.txt- This mechanism may assist the peer in selecting a credential and ../data/rfc/rfc4284.txt- associated NAI, or in formatting the NAI [RFC4282] to facilitate ../data/rfc/rfc4284.txt: routing of Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4284.txt- messages to the home AAA server. If there are several mediating ../data/rfc/rfc4284.txt- networks available, the peer can influence which one is used. ../data/rfc/rfc4284.txt- ../data/rfc/rfc4284.txt- Exactly how the selection is made by the peer depends largely on the ../data/rfc/rfc4284.txt- peer's local policy and configuration, and is outside the scope of -- ../data/rfc/rfc2211.txt- Controlled-load service modules provide QoS control for traffic ../data/rfc/rfc2211.txt- conforming to the TSpec given at setup time. The TSpec's token ../data/rfc/rfc2211.txt- bucket parameters require that traffic must obey the rule that over ../data/rfc/rfc2211.txt- all time periods, the amount of data sent does not exceed rT+b, where ../data/rfc/rfc2211.txt- r and b are the token bucket parameters and T is the length of the ../data/rfc/rfc2211.txt: time period. For the purposes of this accounting, links must count ../data/rfc/rfc2211.txt- packets that are smaller than the minimal policing unit m to be of ../data/rfc/rfc2211.txt- size m. Packets that arrive at an element and cause a violation of ../data/rfc/rfc2211.txt- the the rT+b bound are considered nonconformant. ../data/rfc/rfc2211.txt- ../data/rfc/rfc2211.txt- Additionally, packets bigger than the outgoing link MTU are -- ../data/rfc/rfc7744.txt- mixture of these topologies may be deployed to collect the metering ../data/rfc/rfc7744.txt- information. Drive-by metering is one of the most current solutions ../data/rfc/rfc7744.txt- deployed for collection of gas and water meters. ../data/rfc/rfc7744.txt- ../data/rfc/rfc7744.txt- Various stakeholders have a claim on the metering data. Utility ../data/rfc/rfc7744.txt: companies need the data for accounting, the metering equipment may be ../data/rfc/rfc7744.txt- operated by a third-party service operator who needs to maintain it, ../data/rfc/rfc7744.txt- and the equipment is installed in the premises of the consumers, ../data/rfc/rfc7744.txt- measuring their consumption, which entails privacy questions. ../data/rfc/rfc7744.txt- ../data/rfc/rfc7744.txt-2.5.1. Drive-By Metering -- ../data/rfc/rfc5441.txt- been explicitly listed as a requirement in [RFC4105] and [RFC4216]. ../data/rfc/rfc5441.txt- In the case of a TE LSP reoptimization request, the reoptimization ../data/rfc/rfc5441.txt- procedure defined in [RFC5440] applies when the path in use (if ../data/rfc/rfc5441.txt- available on the head-end) is provided as part of the path ../data/rfc/rfc5441.txt- computation request so that the PCEs involved in the reoptimization ../data/rfc/rfc5441.txt: request can avoid double bandwidth accounting. ../data/rfc/rfc5441.txt- ../data/rfc/rfc5441.txt-12. Path Computation Failure ../data/rfc/rfc5441.txt- ../data/rfc/rfc5441.txt- If a PCE requires to relay a path computation request according to ../data/rfc/rfc5441.txt- the BRPC procedure defined in this document to a downstream PCE and -- ../data/rfc/rfc2654.txt- cn: Barbara Jensen ../data/rfc/rfc2654.txt- cn: Barbara J Jensen ../data/rfc/rfc2654.txt- cn: Babs Jensen ../data/rfc/rfc2654.txt- sn: Jensen ../data/rfc/rfc2654.txt- uid: bjensen ../data/rfc/rfc2654.txt: dn: cn=Bjorn Jensen, ou=Accounting, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- objectclass: top ../data/rfc/rfc2654.txt- objectclass: person ../data/rfc/rfc2654.txt- objectclass: organizationalPerson ../data/rfc/rfc2654.txt- cn: Bjorn Jensen ../data/rfc/rfc2654.txt- sn: Jensen ../data/rfc/rfc2654.txt: title: Accounting manager ../data/rfc/rfc2654.txt- dn: cn=Gern Jensen, ou=Product Testing, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- objectclass: top ../data/rfc/rfc2654.txt- objectclass: person ../data/rfc/rfc2654.txt- objectclass: organizationalPerson ../data/rfc/rfc2654.txt- cn: Gern Jensen -- ../data/rfc/rfc2654.txt- -4/Horatio ../data/rfc/rfc2654.txt- -4/N ../data/rfc/rfc2654.txt- sn: */Jensen ../data/rfc/rfc2654.txt- title: 1/product ../data/rfc/rfc2654.txt- -1-2/manager ../data/rfc/rfc2654.txt: -1/accounting ../data/rfc/rfc2654.txt- -3,4/testpilot ../data/rfc/rfc2654.txt- END Index-Info ../data/rfc/rfc2654.txt- ../data/rfc/rfc2654.txt-5.1.2 "tag" consistency based full update ../data/rfc/rfc2654.txt- -- ../data/rfc/rfc2654.txt- -4/N ../data/rfc/rfc2654.txt- sn: */Jensen ../data/rfc/rfc2654.txt- ../data/rfc/rfc2654.txt- title: 1/product ../data/rfc/rfc2654.txt- -1-2/manager ../data/rfc/rfc2654.txt: -1/accounting ../data/rfc/rfc2654.txt- -3,4/testpilot ../data/rfc/rfc2654.txt- END Index-Info ../data/rfc/rfc2654.txt- ../data/rfc/rfc2654.txt-5.1.3 "unique" consistency based full update ../data/rfc/rfc2654.txt- -- ../data/rfc/rfc2654.txt- sn: FULL ../data/rfc/rfc2654.txt- title: TOKEN ../data/rfc/rfc2654.txt- END IO-Schema ../data/rfc/rfc2654.txt- BEGIN Index-Info ../data/rfc/rfc2654.txt- dn: 1/cn=Barbara Jensen, ou=Product Development, o=Ace Industry, c=US ../data/rfc/rfc2654.txt: -2/cn=Bjorn Jensen, ou=Accounting, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- -3/cn=Gern Jensen, ou=Product Testing, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- -4/cn=Horatio Jensen, ou=Product Testing, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- cn: 1/Barbara ../data/rfc/rfc2654.txt- -1/J ../data/rfc/rfc2654.txt- -1/Babs -- ../data/rfc/rfc2654.txt- -4/Horatio ../data/rfc/rfc2654.txt- -4/N ../data/rfc/rfc2654.txt- sn: */Jensen ../data/rfc/rfc2654.txt- title: 1/product ../data/rfc/rfc2654.txt- -1-2/manager ../data/rfc/rfc2654.txt: -1/accounting ../data/rfc/rfc2654.txt- -3,4/testpilot ../data/rfc/rfc2654.txt- END Index-Info ../data/rfc/rfc2654.txt- ../data/rfc/rfc2654.txt- ../data/rfc/rfc2654.txt- -- ../data/rfc/rfc2654.txt- objectclass: organizationalPerson ../data/rfc/rfc2654.txt- cn: Bo Didley ../data/rfc/rfc2654.txt- sn: Didley ../data/rfc/rfc2654.txt- title: Policy Maker ../data/rfc/rfc2654.txt- # Delete an existing entry ../data/rfc/rfc2654.txt: dn: cn=Bjorn Jensen, ou=Accounting, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- changetype: delete ../data/rfc/rfc2654.txt- # Modify all other entries: adding an additional locality value ../data/rfc/rfc2654.txt- dn: cn=Barbara Jensen, ou=Product Development, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- changetype: modify ../data/rfc/rfc2654.txt- add: locality -- ../data/rfc/rfc2654.txt- END Add Block ../data/rfc/rfc2654.txt- BEGIN Delete Block ../data/rfc/rfc2654.txt- cn: 1/Bjorn ../data/rfc/rfc2654.txt- -1/Jensen ../data/rfc/rfc2654.txt- sn: 1/Jensen ../data/rfc/rfc2654.txt: title: 1/Accounting ../data/rfc/rfc2654.txt- -1/Manager ../data/rfc/rfc2654.txt- END Delete Block ../data/rfc/rfc2654.txt- BEGIN Update Block ../data/rfc/rfc2654.txt- BEGIN Old ../data/rfc/rfc2654.txt- cn: 1/Barbara -- ../data/rfc/rfc2654.txt- END Add Block ../data/rfc/rfc2654.txt- BEGIN Delete Block ../data/rfc/rfc2654.txt- cn: 2/Bjorn ../data/rfc/rfc2654.txt- -2/Jensen ../data/rfc/rfc2654.txt- sn: 2/Jensen ../data/rfc/rfc2654.txt: title: 2/Accounting ../data/rfc/rfc2654.txt- -2/Manager ../data/rfc/rfc2654.txt- END Delete Block ../data/rfc/rfc2654.txt- BEGIN Update Block ../data/rfc/rfc2654.txt- BEGIN New ../data/rfc/rfc2654.txt- locality: 1/Jersey -- ../data/rfc/rfc2654.txt- -1/maker ../data/rfc/rfc2654.txt- locality: 1/New ../data/rfc/rfc2654.txt- -1/York ../data/rfc/rfc2654.txt- END Add Block ../data/rfc/rfc2654.txt- BEGIN Delete Block ../data/rfc/rfc2654.txt: dn: 1/cn=Bjorn Jensen, ou=Accounting, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- END Delete Block ../data/rfc/rfc2654.txt- BEGIN Update Block ../data/rfc/rfc2654.txt- BEGIN New ../data/rfc/rfc2654.txt- dn: 1/cn=Barbara Jensen, ou=Product Development, o=Ace Industry, c=US ../data/rfc/rfc2654.txt- -2/cn=Gern Jensen, ou=Product Testing, o=Ace Industry, c=US -- ../data/rfc/rfc1104.txt-Braun [Page 8] ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt-RFC 1104 Models of Policy Based Routing June 1989 ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt:8. Accounting vs. Policy Based Routing ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt: Quite often Accounting and Policy Based Routing are discussed ../data/rfc/rfc1104.txt: together. While the application of both Accounting and Policy Based ../data/rfc/rfc1104.txt- Routing is to control access to scarce network resources, these are ../data/rfc/rfc1104.txt- separate (but related) issues. ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt: The chief difference between Accounting and Policy Based Routing is ../data/rfc/rfc1104.txt: that Accounting combines history information with policy information ../data/rfc/rfc1104.txt: to track network usage for various purposes. Accounting information ../data/rfc/rfc1104.txt- may in turn drive policy mechanisms (for instance, one could imagine ../data/rfc/rfc1104.txt- a policy limiting a certain organization to a fixed aggregate ../data/rfc/rfc1104.txt- percentage of dynamically shared bandwidth). Conversely, policy ../data/rfc/rfc1104.txt: information may affect accounting issues. Network accounting ../data/rfc/rfc1104.txt- typically involves route information (at any level from AD to end ../data/rfc/rfc1104.txt- system) and volume information (packet, octet counts). ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt: Accounting may be implemented in conjunction with any of the policy ../data/rfc/rfc1104.txt- models mentioned above. Similar to the microscopic versus ../data/rfc/rfc1104.txt: macroscopic policies, accounting may be classified into different ../data/rfc/rfc1104.txt: levels. One may collect accounting data at the AD level, network ../data/rfc/rfc1104.txt- level, host level, or even at the individual user level. However, ../data/rfc/rfc1104.txt: since accounting may be organized hierarchically, microscopic ../data/rfc/rfc1104.txt: accounting may be supported at the network or host level, while ../data/rfc/rfc1104.txt: macroscopic accounting may be supported at the network or AD level. ../data/rfc/rfc1104.txt- An example might be the amount of traffic passed at the interface ../data/rfc/rfc1104.txt- between the NSFNET and a mid-level network or between a mid-level ../data/rfc/rfc1104.txt- network and a campus. Furthermore, the NSFNET has facilities ../data/rfc/rfc1104.txt: implemented to allow for accounting of traffic trends from individual ../data/rfc/rfc1104.txt- network numbers as well as application-specific information. ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt: Full-blown accounting schemes suffer the same types of concerns ../data/rfc/rfc1104.txt- previously discussed, with the added complication of potentially ../data/rfc/rfc1104.txt- large amounts of additional data gathered that must be reliably ../data/rfc/rfc1104.txt- retrieved. As pointed out in [4], policy issues may impact the way ../data/rfc/rfc1104.txt: accounting data is collected (one administration billing for packets ../data/rfc/rfc1104.txt- that were then dropped in the network of another administration). ../data/rfc/rfc1104.txt: Microscopic accounting may not scale well in a large internet. ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt- Furthermore, from the standpoint of billing, it is not clear that the ../data/rfc/rfc1104.txt- services provided at the network layer map well to the sorts of ../data/rfc/rfc1104.txt- services that network consumers are willing to pay for. In the ../data/rfc/rfc1104.txt- telephone network (as well as public data networks), users pay for -- ../data/rfc/rfc1104.txt-Braun [Page 9] ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt-RFC 1104 Models of Policy Based Routing June 1989 ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt: Lightweight approaches to accounting can be used (with less impact) ../data/rfc/rfc1104.txt- when specific, limited goals are set. One suggested approach ../data/rfc/rfc1104.txt- involves monitoring traffic patterns. If a pattern of abuse (e.g., ../data/rfc/rfc1104.txt: unauthorized use) develops, an accounting system could track this and ../data/rfc/rfc1104.txt- allow corrective action to be taken, by changing routing policy or ../data/rfc/rfc1104.txt- imposing access control (blocking hosts or nets). Note that this is ../data/rfc/rfc1104.txt- much less intrusive into the packet forwarding aspects of the ../data/rfc/rfc1104.txt- routers, but requires distribution of a policy database that the ../data/rfc/rfc1104.txt: accounting system can use to reduce the raw information. Because ../data/rfc/rfc1104.txt- this approach is statistical in nature, it may be slow to react. ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt-9. References ../data/rfc/rfc1104.txt- ../data/rfc/rfc1104.txt- [1] Rekhter, Y., "EGP and Policy Based Routing in the New NSFNET -- ../data/rfc/rfc7937.txt- 2.2.2. Logging Collection . . . . . . . . . . . . . . . . . 11 ../data/rfc/rfc7937.txt- 2.2.3. Logging Filtering . . . . . . . . . . . . . . . . . . 11 ../data/rfc/rfc7937.txt- 2.2.4. Logging Rectification and Post-Generation Aggregation 12 ../data/rfc/rfc7937.txt- 2.2.5. Log-Consuming Applications . . . . . . . . . . . . . 13 ../data/rfc/rfc7937.txt- 2.2.5.1. Maintenance and Debugging . . . . . . . . . . . . 13 ../data/rfc/rfc7937.txt: 2.2.5.2. Accounting . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc7937.txt- 2.2.5.3. Analytics and Reporting . . . . . . . . . . . . . 14 ../data/rfc/rfc7937.txt- 2.2.5.4. Content Protection . . . . . . . . . . . . . . . 14 ../data/rfc/rfc7937.txt- 2.2.5.5. Notions Common to Multiple Log-Consuming ../data/rfc/rfc7937.txt- Applications . . . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc7937.txt- 3. CDNI Logging File . . . . . . . . . . . . . . . . . . . . . . 17 -- ../data/rfc/rfc7937.txt- NAT, where dynamic IP addresses are used and reused, etc.). However, ../data/rfc/rfc7937.txt- care SHOULD be taken so that the client identifiers exposed in other ../data/rfc/rfc7937.txt- fields of the CDNI Records cannot themselves be linked back to actual ../data/rfc/rfc7937.txt- users. ../data/rfc/rfc7937.txt- ../data/rfc/rfc7937.txt:2.2.5.2. Accounting ../data/rfc/rfc7937.txt- ../data/rfc/rfc7937.txt: Logging information is essential for accounting, to permit inter-CDN ../data/rfc/rfc7937.txt- billing and CSP billing by uCDNs. For instance, Logging information ../data/rfc/rfc7937.txt- provided by dCDNs enables the uCDN to compute the total amount of ../data/rfc/rfc7937.txt- traffic delivered by every dCDN for a particular Content Provider, as ../data/rfc/rfc7937.txt- well as the associated bandwidth usage (e.g., peak, 95th percentile), ../data/rfc/rfc7937.txt- and the maximum number of simultaneous sessions over a given period -- ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt- Tells the remote system you are done. ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt- The remote system replies: ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt: +(the message may be charge/accounting info) ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt- and then both systems close the connection. ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt- ../data/rfc/rfc913.txt- -- ../data/rfc/rfc985.txt- application level. It is expected that the network-level NSF ../data/rfc/rfc985.txt- gateway requirements summarized in this document will be ../data/rfc/rfc985.txt- incorporated in the requirements document for these ../data/rfc/rfc985.txt- application-level gateways. ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt: B.4. Access Control and Accounting ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt- There are no requirements for NSF gateways at this time to ../data/rfc/rfc985.txt: incorporate specific access-control and accounting mechanisms in ../data/rfc/rfc985.txt- the design; however, these important issues are currently under ../data/rfc/rfc985.txt- study and will be incorporated into a redraft of this document at ../data/rfc/rfc985.txt- an early date. Vendors are encouraged to plan for the early ../data/rfc/rfc985.txt- introduction of these mechanisms in their products. While at this ../data/rfc/rfc985.txt- -- ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt-RFC 985 May 1986 ../data/rfc/rfc985.txt-Requirements for Internet Gateways -- DRAFT ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt: time no definitive common model for access control and accounting ../data/rfc/rfc985.txt- has emerged, it is possible to outline some general features such ../data/rfc/rfc985.txt- a model is likely to have, among them the following: ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt: 1. The primary access control and accounting executive ../data/rfc/rfc985.txt- mechanisms will be in the service hosts themselves, not the ../data/rfc/rfc985.txt- gateways, packet switches or workstations. ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt: 2. Agents acting on behalf of access control and accounting ../data/rfc/rfc985.txt- executive mechanisms may be necessary in the gateways, ../data/rfc/rfc985.txt- packet switches or workstations. These may be used to ../data/rfc/rfc985.txt- collect data, enforce password protection or mitigate ../data/rfc/rfc985.txt- resource priority and fairness. However, the architecture ../data/rfc/rfc985.txt- and protocols used by these agents may be a local matter ../data/rfc/rfc985.txt- and not possible to specify in advance. ../data/rfc/rfc985.txt- ../data/rfc/rfc985.txt- 3. NSF gateways may be required to incorporate access control ../data/rfc/rfc985.txt: and accounting mechanisms based on packet ../data/rfc/rfc985.txt- source/destination address, as well as other fields in the ../data/rfc/rfc985.txt- IP header, internal priority and fairness. However, it is ../data/rfc/rfc985.txt- extremely unlikely that these mechanisms would involve a ../data/rfc/rfc985.txt- user-level login to the gateway itself. ../data/rfc/rfc985.txt- -- ../data/rfc/rfc2527.txt- * Indemnification of CA and/or RA by relying parties; ../data/rfc/rfc2527.txt- ../data/rfc/rfc2527.txt- * Fiduciary relationships (or lack thereof) between the various ../data/rfc/rfc2527.txt- entities; and ../data/rfc/rfc2527.txt- ../data/rfc/rfc2527.txt: * Administrative processes (e.g., accounting, audit). ../data/rfc/rfc2527.txt- ../data/rfc/rfc2527.txt-4.2.4 Interpretation and Enforcement ../data/rfc/rfc2527.txt- ../data/rfc/rfc2527.txt- This subcomponent contains any applicable provisions regarding ../data/rfc/rfc2527.txt- interpretation and enforcement of the certificate policy or CPS, -- ../data/rfc/rfc2620.txt-Request for Comments: 2620 G. Zorn ../data/rfc/rfc2620.txt-Category: Informational Microsoft ../data/rfc/rfc2620.txt- June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: RADIUS Accounting Client MIB ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Status of this Memo ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- This memo provides information for the Internet community. This memo ../data/rfc/rfc2620.txt- does not specify an Internet standard of any kind. Distribution of -- ../data/rfc/rfc2620.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Abstract ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- This memo defines a set of extensions which instrument RADIUS ../data/rfc/rfc2620.txt: accounting client functions. These extensions represent a portion of ../data/rfc/rfc2620.txt- the Management Information Base (MIB) for use with network management ../data/rfc/rfc2620.txt- protocols in the Internet community. Using these extensions IP-based ../data/rfc/rfc2620.txt: management stations can manage RADIUS accounting clients. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-1. Introduction ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc2620.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc2620.txt- In particular, it describes managed objects used for managing RADIUS ../data/rfc/rfc2620.txt: accounting clients. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- Today a wide range of network devices, including routers and NASes, ../data/rfc/rfc2620.txt: act as RADIUS accounting clients in order to provide accounting ../data/rfc/rfc2620.txt: services. As a result, the effective management of RADIUS accounting ../data/rfc/rfc2620.txt- clients is of considerable importance. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-2. The SNMP Management Framework ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- The SNMP Management Framework presently consists of five major -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 1] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- STD 15, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. ../data/rfc/rfc2620.txt- The second version, called SMIv2, is described in STD 58, RFC ../data/rfc/rfc2620.txt- 2578 [5], RFC 2579 [6] and RFC 2580 [7]. -- ../data/rfc/rfc2620.txt- readable information is not considered to change the semantics of the ../data/rfc/rfc2620.txt- MIB. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-3. Overview ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: The RADIUS accounting protocol, described in [16], distinguishes ../data/rfc/rfc2620.txt- between the client function and the server function. In RADIUS ../data/rfc/rfc2620.txt: accounting, clients send Accounting-Requests, and servers reply with ../data/rfc/rfc2620.txt: Accounting-Responses. Typically NAS devices implement the client ../data/rfc/rfc2620.txt- function, and thus would be expected to implement the RADIUS ../data/rfc/rfc2620.txt: accounting client MIB, while RADIUS accounting servers implement the ../data/rfc/rfc2620.txt- server function, and thus would be expected to implement the RADIUS ../data/rfc/rfc2620.txt: accounting server MIB. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 2] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: However, it is possible for a RADIUS accounting entity to perform ../data/rfc/rfc2620.txt- both client and server functions. For example, a RADIUS proxy may act ../data/rfc/rfc2620.txt: as a server to one or more RADIUS accounting clients, while ../data/rfc/rfc2620.txt: simultaneously acting as an accounting client to one or more ../data/rfc/rfc2620.txt: accounting servers. In such situations, it is expected that RADIUS ../data/rfc/rfc2620.txt- entities combining client and server functionality will support both ../data/rfc/rfc2620.txt- the client and server MIBs. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-3.1. Selected objects ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- This MIB module contains two scalars as well as a single table: ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: (1) the RADIUS Accounting Server Table contains one row for ../data/rfc/rfc2620.txt- each RADIUS server that the client shares a secret with. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: Each entry in the RADIUS Accounting Server Table includes thirteen ../data/rfc/rfc2620.txt- columns presenting a view of the activity of the RADIUS client. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-4. Definitions ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- Phone: +1 425 936 6605 ../data/rfc/rfc2620.txt- EMail: bernarda@microsoft.com" ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The MIB module for entities implementing the client side of ../data/rfc/rfc2620.txt: the Remote Access Dialin User Service (RADIUS) accounting ../data/rfc/rfc2620.txt- protocol." ../data/rfc/rfc2620.txt- REVISION "9906110000Z" -- 11 Jun 1999 ../data/rfc/rfc2620.txt- DESCRIPTION "Initial version as published in RFC 2620" ../data/rfc/rfc2620.txt: ::= { radiusAccounting 2 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 3] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusMIB OBJECT-IDENTITY ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The OID assigned to RADIUS MIB work by the IANA." ../data/rfc/rfc2620.txt- ::= { mib-2 67 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientMIBObjects OBJECT IDENTIFIER ::= ../data/rfc/rfc2620.txt- { radiusAccClientMIB 1 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClient OBJECT IDENTIFIER ::= { radiusAccClientMIBObjects 1 } -- ../data/rfc/rfc2620.txt-radiusAccClientInvalidServerAddresses OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc2620.txt- received from unknown addresses." ../data/rfc/rfc2620.txt- ::= { radiusAccClient 1 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientIdentifier OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX SnmpAdminString ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The NAS-Identifier of the RADIUS accounting client. This ../data/rfc/rfc2620.txt- is not necessarily the same as sysName in MIB II." ../data/rfc/rfc2620.txt- ::= { radiusAccClient 2 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccServerTable OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX SEQUENCE OF RadiusAccServerEntry ../data/rfc/rfc2620.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc2620.txt- servers with which the client shares a secret." ../data/rfc/rfc2620.txt- ::= { radiusAccClient 3 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccServerEntry OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX RadiusAccServerEntry ../data/rfc/rfc2620.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc2620.txt: accounting server with which the client shares a secret." ../data/rfc/rfc2620.txt- INDEX { radiusAccServerIndex } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 4] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ::= { radiusAccServerTable 1 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-RadiusAccServerEntry ::= SEQUENCE { -- ../data/rfc/rfc2620.txt- SYNTAX Integer32 (1..2147483647) ../data/rfc/rfc2620.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "A number uniquely identifying each RADIUS ../data/rfc/rfc2620.txt: Accounting server with which this client ../data/rfc/rfc2620.txt- communicates." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 1 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccServerAddress OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX IpAddress ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The IP address of the RADIUS accounting server ../data/rfc/rfc2620.txt- referred to in this table entry." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 2 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientServerPortNumber OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Integer32 (0..65535) -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 5] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The time interval between the most recent ../data/rfc/rfc2620.txt: Accounting-Response and the Accounting-Request that ../data/rfc/rfc2620.txt: matched it from this RADIUS accounting server." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 4 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt--- Request/Response statistics ../data/rfc/rfc2620.txt--- ../data/rfc/rfc2620.txt--- Requests = Responses + PendingRequests + ClientTimeouts -- ../data/rfc/rfc2620.txt-radiusAccClientRequests OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2620.txt- sent. This does not include retransmissions." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 5 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientRetransmissions OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2620.txt: retransmitted to this RADIUS accounting server. ../data/rfc/rfc2620.txt- Retransmissions include retries where the ../data/rfc/rfc2620.txt- Identifier and Acct-Delay have been updated, as ../data/rfc/rfc2620.txt- well as those in which they remain the same." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 6 } ../data/rfc/rfc2620.txt- -- ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The number of RADIUS packets received on the ../data/rfc/rfc2620.txt: accounting port from this server." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 7 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientMalformedResponses OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 6] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of malformed RADIUS Accounting-Response ../data/rfc/rfc2620.txt- packets received from this server. Malformed packets ../data/rfc/rfc2620.txt- include packets with an invalid length. Bad ../data/rfc/rfc2620.txt- authenticators and unknown types are not included as ../data/rfc/rfc2620.txt: malformed accounting responses." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 8 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientBadAuthenticators OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of RADIUS Accounting-Response ../data/rfc/rfc2620.txt- packets which contained invalid authenticators ../data/rfc/rfc2620.txt- received from this server." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 9 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientPendingRequests OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Gauge32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2620.txt- sent to this server that have not yet timed out or ../data/rfc/rfc2620.txt- received a response. This variable is incremented when an ../data/rfc/rfc2620.txt: Accounting-Request is sent and decremented due to ../data/rfc/rfc2620.txt: receipt of an Accounting-Response, a timeout or ../data/rfc/rfc2620.txt- a retransmission." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 10 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientTimeouts OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The number of accounting timeouts to this server. ../data/rfc/rfc2620.txt- After a timeout the client may retry to the same ../data/rfc/rfc2620.txt- server, send to a different server, or give up. ../data/rfc/rfc2620.txt- A retry to the same server is counted as a ../data/rfc/rfc2620.txt- retransmit as well as a timeout. A send to a different ../data/rfc/rfc2620.txt: server is counted as an Accounting-Request as well as ../data/rfc/rfc2620.txt- a timeout." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 11 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientUnknownTypes OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 7] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The number of RADIUS packets of unknown type which ../data/rfc/rfc2620.txt: were received from this server on the accounting port." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 12 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientPacketsDropped OBJECT-TYPE ../data/rfc/rfc2620.txt- SYNTAX Counter32 ../data/rfc/rfc2620.txt- MAX-ACCESS read-only ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The number of RADIUS packets which were received from ../data/rfc/rfc2620.txt: this server on the accounting port and dropped for some ../data/rfc/rfc2620.txt- other reason." ../data/rfc/rfc2620.txt- ::= { radiusAccServerEntry 13 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt--- conformance information ../data/rfc/rfc2620.txt- -- ../data/rfc/rfc2620.txt--- compliance statements ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-radiusAccClientMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt: "The compliance statement for accounting clients ../data/rfc/rfc2620.txt: implementing the RADIUS Accounting Client MIB." ../data/rfc/rfc2620.txt- MODULE -- this module ../data/rfc/rfc2620.txt- MANDATORY-GROUPS { radiusAccClientMIBGroup } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ::= { radiusAccClientMIBCompliances 1 } ../data/rfc/rfc2620.txt- -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 8] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- radiusAccClientRetransmissions, ../data/rfc/rfc2620.txt- radiusAccClientResponses, ../data/rfc/rfc2620.txt- radiusAccClientMalformedResponses, -- ../data/rfc/rfc2620.txt- radiusAccClientPacketsDropped ../data/rfc/rfc2620.txt- } ../data/rfc/rfc2620.txt- STATUS current ../data/rfc/rfc2620.txt- DESCRIPTION ../data/rfc/rfc2620.txt- "The basic collection of objects providing management of ../data/rfc/rfc2620.txt: RADIUS Accounting Clients." ../data/rfc/rfc2620.txt- ::= { radiusAccClientMIBGroups 1 } ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-END ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-5. References -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 9] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, ../data/rfc/rfc2620.txt- "Introduction to Community-based SNMPv2", RFC 1901, January ../data/rfc/rfc2620.txt- 1996. -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access ../data/rfc/rfc2620.txt- Control Model for the Simple Network Management Protocol ../data/rfc/rfc2620.txt- (SNMP)", RFC 2575, April 1999. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt: [16] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-6. Security Considerations ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- There are no management objects defined in this MIB that have a MAX- ../data/rfc/rfc2620.txt- ACCESS clause of read-write and/or read-create. So, if this MIB is -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 10] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- radiusAccServerAddress ../data/rfc/rfc2620.txt- This can be used to determine the address of the RADIUS ../data/rfc/rfc2620.txt: accounting server with which the client is communicating. ../data/rfc/rfc2620.txt- This information could be useful in mounting an attack on ../data/rfc/rfc2620.txt- the acounting server, which may contain sensitive financial ../data/rfc/rfc2620.txt- data. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- radiusAccClientServerPortNumber This can be used to determine the ../data/rfc/rfc2620.txt: port number on which the RADIUS accounting client is ../data/rfc/rfc2620.txt- sending. This information could be useful in impersonating ../data/rfc/rfc2620.txt- the client in order to send fraudulent data to the ../data/rfc/rfc2620.txt: accounting server. ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- It is thus important to control even GET access to these objects and ../data/rfc/rfc2620.txt- possibly to even encrypt the values of these object when sending them ../data/rfc/rfc2620.txt- over the network via SNMP. Not all versions of SNMP provide features ../data/rfc/rfc2620.txt- for such a secure environment. -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 11] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-8. Authors' Addresses ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- Bernard Aboba -- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-Aboba & Zorn Informational [Page 12] ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt:RFC 2620 RADIUS Accounting Client MIB June 1999 ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt-9. Full Copyright Statement ../data/rfc/rfc2620.txt- ../data/rfc/rfc2620.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. -- ../data/rfc/rfc4031.txt- 7.2.4. Provisioning Network Access . . . . . . . . . . 39 ../data/rfc/rfc4031.txt- 7.2.5. Provisioning Security Services. . . . . . . . . 40 ../data/rfc/rfc4031.txt- 7.2.6. Provisioning VPN Resource Parameters. . . . . . 40 ../data/rfc/rfc4031.txt- 7.2.7. Provisioning Value-Added Service Access . . . . 40 ../data/rfc/rfc4031.txt- 7.2.8. Provisioning Hybrid VPN Services. . . . . . . . 41 ../data/rfc/rfc4031.txt: 7.3. Accounting. . . . . . . . . . . . . . . . . . . . . . . 41 ../data/rfc/rfc4031.txt- 7.4. Performance Management. . . . . . . . . . . . . . . . . 42 ../data/rfc/rfc4031.txt- 7.4.1. Performance Monitoring. . . . . . . . . . . . . 42 ../data/rfc/rfc4031.txt- 7.4.2. SLA and QoS Management Features . . . . . . . . 42 ../data/rfc/rfc4031.txt- 7.5. Security Management . . . . . . . . . . . . . . . . . . 43 ../data/rfc/rfc4031.txt- 7.5.1. Resource Access Control . . . . . . . . . . . . 43 -- ../data/rfc/rfc4031.txt- O Manage the VPN networks deployed over these resources (network ../data/rfc/rfc4031.txt- management). ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- o Manage the VPN service (service management). ../data/rfc/rfc4031.txt- o Manage the VPN business, mainly provisioning administrative and ../data/rfc/rfc4031.txt: accounting information related to the VPN service customers ../data/rfc/rfc4031.txt- (business management). ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- Service management should include the TMN 'FCAPS' functionalities, as ../data/rfc/rfc4031.txt: follows: Fault, Configuration, Accounting, Provisioning, and ../data/rfc/rfc4031.txt- Security, as detailed in section 7. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt-4.6. Interworking ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- Interworking scenarios among different solutions providing L3VPN -- ../data/rfc/rfc4031.txt- languages) to access such systems is undesirable. Therefore, devices ../data/rfc/rfc4031.txt- SHOULD provide standards-based interfaces wherever feasible. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- The remainder of this section presents detailed SP management ../data/rfc/rfc4031.txt- requirements for a Network Management System (NMS) in the traditional ../data/rfc/rfc4031.txt: fault, configuration, accounting, performance, and security (FCAPS) ../data/rfc/rfc4031.txt- management categories. Much of this text was adapted from ITU-T ../data/rfc/rfc4031.txt- Y.1311.1. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- -- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- Configuration of interworking or interconnection between L3VPN ../data/rfc/rfc4031.txt- solutions SHOULD be also supported. Ensuring that security and ../data/rfc/rfc4031.txt- end-to-end QoS issues are provided consistently SHOULD be addressed. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt:7.3. Accounting ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- Many service providers require collection of measurements regarding ../data/rfc/rfc4031.txt: resource usage for accounting purposes. The NMS MAY need to ../data/rfc/rfc4031.txt: correlate accounting information with performance and fault ../data/rfc/rfc4031.txt- management information to produce billing that takes into account SLA ../data/rfc/rfc4031.txt- provisions for periods of time when the SLS is not met. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt: An L3VPN solution MUST describe how the following accounting ../data/rfc/rfc4031.txt- functions can be provided: ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- - Measurements of resource utilization. ../data/rfc/rfc4031.txt: - collection of accounting information. ../data/rfc/rfc4031.txt- - storage and administration of measurements. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- -- ../data/rfc/rfc4031.txt- management service. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- If an SP supports a "Dynamic Bandwidth management" service, then the ../data/rfc/rfc4031.txt- dates, times, amounts, and interval required to perform requested ../data/rfc/rfc4031.txt- bandwidth allocation change(s) MUST be traceable for monitoring and ../data/rfc/rfc4031.txt: accounting purposes. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt: Solutions should state compliance with accounting requirements, as ../data/rfc/rfc4031.txt- described in section 1.7 of RFC 2975 [RFC2975]. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt-7.4. Performance Management ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- Performance management MUST support functions involved with -- ../data/rfc/rfc4031.txt- [RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and ../data/rfc/rfc4031.txt- A. Malis, "A Framework for IP Based Virtual Private ../data/rfc/rfc4031.txt- Networks", RFC 2764, February 2000. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction ../data/rfc/rfc4031.txt: to Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt- ../data/rfc/rfc4031.txt-Carugi & McDysan Standards Track [Page 47] -- ../data/rfc/rfc5000.txt--------- The Early Session Disposition Type for the Session 3959* ../data/rfc/rfc5000.txt- Initiation Protocol (SIP) ../data/rfc/rfc5000.txt--------- Domain-Based Application Service Location Using SRV 3958* ../data/rfc/rfc5000.txt- RRs and the Dynamic Delegation Discovery Service ../data/rfc/rfc5000.txt- (DDDS) ../data/rfc/rfc5000.txt:-------- Authentication, Authorization, and Accounting (AAA) 3957* ../data/rfc/rfc5000.txt- Registration Keys for Mobile IPv4 ../data/rfc/rfc5000.txt--------- Embedding the Rendezvous Point (RP) Address in an 3956* ../data/rfc/rfc5000.txt- IPv6 Multicast Address ../data/rfc/rfc5000.txt--------- Telephone Number Mapping (ENUM) Service Registration 3953* ../data/rfc/rfc5000.txt- for Presence Services -- ../data/rfc/rfc5000.txt--------- The Group Domain of Interpretation 3547 ../data/rfc/rfc5000.txt--------- Enhanced Compressed RTP (CRTP) for Links with High 3545 ../data/rfc/rfc5000.txt- Delay, Packet Loss and Reordering ../data/rfc/rfc5000.txt-IPCOM-PPP IP Header Compression over PPP 3544 ../data/rfc/rfc5000.txt--------- Registration Revocation in Mobile IPv4 3543 ../data/rfc/rfc5000.txt:-------- Authentication, Authorization and Accounting (AAA) 3539 ../data/rfc/rfc5000.txt- Transport Profile ../data/rfc/rfc5000.txt--------- Wrapping a Hashed Message Authentication Code (HMAC) 3537 ../data/rfc/rfc5000.txt- key with a Triple-Data Encryption Standard (DES) Key ../data/rfc/rfc5000.txt- or an Advanced Encryption Standard (AES) Key ../data/rfc/rfc5000.txt--------- The application/ogg Media Type 3534 -- ../data/rfc/rfc5000.txt--------- Reserved IPv6 Subnet Anycast Addresses 2526 ../data/rfc/rfc5000.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc5000.txt-ATM-TC-OID Definitions of Textual Conventions and 2514 ../data/rfc/rfc5000.txt- OBJECT-IDENTITIES for ATM Management ../data/rfc/rfc5000.txt--------- Managed Objects for Controlling the Collection and 2513 ../data/rfc/rfc5000.txt: Storage of Accounting Information for ../data/rfc/rfc5000.txt- Connection-Oriented Networks ../data/rfc/rfc5000.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc5000.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 ../data/rfc/rfc5000.txt- Links ../data/rfc/rfc5000.txt- ../data/rfc/rfc5000.txt- ../data/rfc/rfc5000.txt- -- ../data/rfc/rfc5000.txt- (MPLS) and Generalized MPLS (GMPLS) Protocols and ../data/rfc/rfc5000.txt- Procedures ../data/rfc/rfc5000.txt--------- IANA Considerations for OSPF 4940* 130 ../data/rfc/rfc5000.txt--------- Symmetric RTP / RTP Control Protocol (RTCP) 4961* 131 ../data/rfc/rfc5000.txt--------- Guidance for Authentication, Authorization, and 4962* 132 ../data/rfc/rfc5000.txt: Accounting (AAA) Key Management ../data/rfc/rfc5000.txt--------- Specifying New Congestion Control Algorithms 5033* 133 ../data/rfc/rfc5000.txt--------- Email Submission Operations: Access and 5068* 134 ../data/rfc/rfc5000.txt- Accountability Requirements ../data/rfc/rfc5000.txt--------- IP Multicast Requirements for a Network Address 5135* 135 ../data/rfc/rfc5000.txt- Translator (NAT) and a Network Address Port -- ../data/rfc/rfc5000.txt- Translator (NAPT) ../data/rfc/rfc5000.txt--------- Email Submission Operations: Access and 134 5068* ../data/rfc/rfc5000.txt- Accountability Requirements ../data/rfc/rfc5000.txt--------- Specifying New Congestion Control Algorithms 133 5033* ../data/rfc/rfc5000.txt--------- Guidance for Authentication, Authorization, and 132 4962* ../data/rfc/rfc5000.txt: Accounting (AAA) Key Management ../data/rfc/rfc5000.txt--------- Symmetric RTP / RTP Control Protocol (RTCP) 131 4961* ../data/rfc/rfc5000.txt--------- IANA Considerations for OSPF 130 4940* ../data/rfc/rfc5000.txt--------- Change Process for Multiprotocol Label Switching 129 4929* ../data/rfc/rfc5000.txt- (MPLS) and Generalized MPLS (GMPLS) Protocols ../data/rfc/rfc5000.txt- and Procedures -- ../data/rfc/rfc5000.txt- Control Protocol Transport Mapping ../data/rfc/rfc5000.txt--------- Select and Sort Extensions for the Service Location 3421 ../data/rfc/rfc5000.txt- Protocol (SLP) ../data/rfc/rfc5000.txt--------- The Application Exchange (APEX) Presence Service 3343 ../data/rfc/rfc5000.txt--------- Dual Stack Hosts Using "Bump-in-the-API" (BIA) 3338 ../data/rfc/rfc5000.txt:-------- Policy-Based Accounting 3334 ../data/rfc/rfc5000.txt--------- PGM Reliable Transport Protocol Specification 3208 ../data/rfc/rfc5000.txt--------- Domain Security Services using S/MIME 3183 ../data/rfc/rfc5000.txt-SMX Script MIB Extensibility Protocol Version 1.1 3179 ../data/rfc/rfc5000.txt--------- ISO/IEC 9798-3 Authentication SASL Mechanism 3163 ../data/rfc/rfc5000.txt--------- Electronic Signature Policies 3125 -- ../data/rfc/rfc7925.txt- ../data/rfc/rfc7925.txt- Figure 2 shows the network access architecture with the IoT device ../data/rfc/rfc7925.txt- initiating the communication to an access point in the network using ../data/rfc/rfc7925.txt- the procedures defined for a specific physical layer. Since ../data/rfc/rfc7925.txt- credentials may be managed and stored centrally, in the ../data/rfc/rfc7925.txt: Authentication, Authorization, and Accounting (AAA) server, the ../data/rfc/rfc7925.txt- security protocol exchange may need to be relayed via the ../data/rfc/rfc7925.txt- Authenticator, i.e., functionality running on the access point to the ../data/rfc/rfc7925.txt- AAA server. The authentication and key exchange protocol itself is ../data/rfc/rfc7925.txt- encapsulated within a container, the Extensible Authentication ../data/rfc/rfc7925.txt- Protocol (EAP) [RFC3748], and messages are conveyed back and forth -- ../data/rfc/rfc7925.txt- ../data/rfc/rfc7925.txt- ../data/rfc/rfc7925.txt- +--------------+ ../data/rfc/rfc7925.txt- |Authentication| ../data/rfc/rfc7925.txt- |Authorization | ../data/rfc/rfc7925.txt: |Accounting | ../data/rfc/rfc7925.txt- |Server | ../data/rfc/rfc7925.txt- |(EAP Server) | ../data/rfc/rfc7925.txt- | | ../data/rfc/rfc7925.txt- +-^----------^-+ ../data/rfc/rfc7925.txt- * EAP o RADIUS/ -- ../data/rfc/rfc5218.txt- to configure/manage, are cheaper to deploy. ../data/rfc/rfc5218.txt- ../data/rfc/rfc5218.txt- o Business dependencies: Protocols that don't require changes to a ../data/rfc/rfc5218.txt- business model (whether for implementers or deployers) are easier ../data/rfc/rfc5218.txt- to deploy than ones that do. There are costs associated with ../data/rfc/rfc5218.txt: changing billing and accounting systems and retraining of ../data/rfc/rfc5218.txt- associated personnel, and in addition, the assumptions on which ../data/rfc/rfc5218.txt- the previous business model was based may change. For example, ../data/rfc/rfc5218.txt- some time ago many service providers had business models built ../data/rfc/rfc5218.txt- around dial-up with an assumption that machines were not connected ../data/rfc/rfc5218.txt- all the time; protocols that desired always-on connectivity -- ../data/rfc/rfc4721.txt- agent to use a challenge/response mechanism to authenticate the ../data/rfc/rfc4721.txt- mobile node. ../data/rfc/rfc4721.txt- ../data/rfc/rfc4721.txt- Furthermore, this document updates RFC 3344 by including a new ../data/rfc/rfc4721.txt- authentication extension called the Mobile-Authentication, ../data/rfc/rfc4721.txt: Authorization, and Accounting (AAA) Authentication extension. This ../data/rfc/rfc4721.txt- new extension is provided so that a mobile node can supply ../data/rfc/rfc4721.txt- credentials for authorization, using commonly available AAA ../data/rfc/rfc4721.txt- infrastructure elements. This authorization-enabling extension MAY ../data/rfc/rfc4721.txt- co-exist in the same Registration Request with authentication ../data/rfc/rfc4721.txt- extensions defined for Mobile IP Registration by RFC 3344. This -- ../data/rfc/rfc4721.txt- ../data/rfc/rfc4721.txt- A mobile node MAY include the Mobile-AAA Authentication extension in ../data/rfc/rfc4721.txt- the Registration Request when the mobile node registers directly with ../data/rfc/rfc4721.txt- its home agent (using a co-located care-of address). In this case, ../data/rfc/rfc4721.txt- the mobile node uses an SPI value of CHAP_SPI (Section 8) in the ../data/rfc/rfc4721.txt: Mobile Node-Authentication, Authorization, and Accounting (MN-AAA) ../data/rfc/rfc4721.txt- Authentication extension and MUST NOT include the Mobile-Foreign ../data/rfc/rfc4721.txt- Challenge extension. Also, replay protection for the Registration ../data/rfc/rfc4721.txt- Request in this case is provided by the Identification field defined ../data/rfc/rfc4721.txt- by [RFC3344]. ../data/rfc/rfc4721.txt- -- ../data/rfc/rfc5503.txt- information, and station information (e.g., coin-operated phone). In ../data/rfc/rfc5503.txt- addition, while translating the destination number, information such ../data/rfc/rfc5503.txt- as the local-number-portability office code is obtained and will be ../data/rfc/rfc5503.txt- needed by all other proxies handling this call. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt: For Usage Accounting records, it is necessary to have an identifier ../data/rfc/rfc5503.txt- that can be associated with all the event records produced for the ../data/rfc/rfc5503.txt- call. The SIP Call-ID header field cannot be used as such an ../data/rfc/rfc5503.txt- identifier since it is selected by the originating user agent, and it ../data/rfc/rfc5503.txt- may not be unique among all past calls as well as current calls. ../data/rfc/rfc5503.txt- Further, since this identifier is to be used by the service provider, -- ../data/rfc/rfc5503.txt- servers, announcement servers, etc. Outside of the trust boundary ../data/rfc/rfc5503.txt- lie the customer premises equipment and various application and media ../data/rfc/rfc5503.txt- servers operated by third-party service providers. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- Certain subscriber-specific information, such as billing and ../data/rfc/rfc5503.txt: accounting information, stays within the trust boundary. Other ../data/rfc/rfc5503.txt- subscriber-specific information, such as endpoint identity, may be ../data/rfc/rfc5503.txt- presented to untrusted endpoints or may be withheld based on ../data/rfc/rfc5503.txt- subscriber profiles. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- The User Agent (UA) may be either within the trust boundary or -- ../data/rfc/rfc5503.txt- information based on the authenticated identity of the calling and ../data/rfc/rfc5503.txt- called parties. Since there is a trust relationship among proxies, ../data/rfc/rfc5503.txt- they can be relied upon to exchange trusted billing information ../data/rfc/rfc5503.txt- pertaining to the parties involved in a call. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt: For Usage Accounting records, it is necessary to have an identifier ../data/rfc/rfc5503.txt- that can be associated with all the event records produced for the ../data/rfc/rfc5503.txt- call. The SIP Call-ID header field cannot be used as such an ../data/rfc/rfc5503.txt- identifier since it is selected by the originating user agent, and ../data/rfc/rfc5503.txt- may not be unique among all past calls as well as current calls. ../data/rfc/rfc5503.txt- Further, since this identifier is to be used by the service provider, -- ../data/rfc/rfc5503.txt- the ability of the originator to re-use this private-URL for multiple ../data/rfc/rfc5503.txt- calls. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- A UAC that includes a Refer-To header in a REFER request MUST include ../data/rfc/rfc5503.txt- a P-DCS-Billing-Info header in the Refer-To's URL. This P-DCS- ../data/rfc/rfc5503.txt: Billing-Info header MUST include the accounting information of the ../data/rfc/rfc5503.txt- initiator of the REFER. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt-7.4. Procedures at an Untrusted User Agent Server (UAS) ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- This header is never sent to an untrusted UAS, and is never sent by -- ../data/rfc/rfc5503.txt- provider policy provisioned in the UAS. If the UAS performed an LNP ../data/rfc/rfc5503.txt- query, it MUST include the Routing Number and Location Routing Number ../data/rfc/rfc5503.txt- returned by the query. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- The UAS MUST add a P-DCS-Billing-Info header to a 3xx-Redirect ../data/rfc/rfc5503.txt: response to an initial INVITE, giving the accounting information for ../data/rfc/rfc5503.txt- the call forwarder, for the call segment from the destination to the ../data/rfc/rfc5503.txt- forwarded-to destination. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt-7.6. Procedures at Proxy ../data/rfc/rfc5503.txt- -- ../data/rfc/rfc5503.txt- removed. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- If the Request-URI contains a private-URL, and the decoded username ../data/rfc/rfc5503.txt- contains billing information, the originating proxy MUST generate a ../data/rfc/rfc5503.txt- P-DCS-Billing-Info header with that decrypted information. ../data/rfc/rfc5503.txt: Otherwise, the originating proxy MUST determine the accounting ../data/rfc/rfc5503.txt- information for the call originator and insert a P-DCS-Billing-Info ../data/rfc/rfc5503.txt- header including that information. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- If the response to the initial INVITE is a 3xx-Redirect, received ../data/rfc/rfc5503.txt- prior to a non-100 provisional response, the originating proxy -- ../data/rfc/rfc5503.txt- expiration time very shortly in the future, to limit the ability of ../data/rfc/rfc5503.txt- the originator to re-use this private-URL for multiple calls. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- An originating proxy that processes a REFER request from an untrusted ../data/rfc/rfc5503.txt- UA MUST include a P-DCS-Billing-Info header in the Refer-To's URL. ../data/rfc/rfc5503.txt: This P-DCS-Billing-Info header MUST include the accounting ../data/rfc/rfc5503.txt- information of the initiator. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt-7.6.2. Procedures at Terminating Proxy ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- The terminating proxy MUST NOT send the P-DCS-Billing-Info header to -- ../data/rfc/rfc5503.txt- proxy. If the terminating proxy performed an LNP query, it MUST ../data/rfc/rfc5503.txt- include the Routing Number and Location Routing Number returned by ../data/rfc/rfc5503.txt- the query. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- The terminating proxy MUST add P-DCS-Billing-Info headers to a 3xx- ../data/rfc/rfc5503.txt: Redirect response to an initial INVITE, giving the accounting ../data/rfc/rfc5503.txt- information for the call forwarder, for the call segment from the ../data/rfc/rfc5503.txt- destination to the forwarded-to destination. ../data/rfc/rfc5503.txt- ../data/rfc/rfc5503.txt- A proxy receiving a mid-call REFER request that includes a Refer-To ../data/rfc/rfc5503.txt- header generates a private-URL and places it in the Refer-To header -- ../data/rfc/rfc3169.txt-5.1. General protocol characteristics ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- There are certain general characteristics that any AAA protocol used ../data/rfc/rfc3169.txt- by NAS's must meet. Note that the transport requirements for ../data/rfc/rfc3169.txt- authentication/authorization are not necessarily the same as those ../data/rfc/rfc3169.txt: for accounting/auditing. An AAA protocol suite MAY use the same ../data/rfc/rfc3169.txt- transport and protocol for both functions, but this is not strictly ../data/rfc/rfc3169.txt- required. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.1.1. Transport requirements ../data/rfc/rfc3169.txt- -- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.1.2.2. Minimum Set of Attributes ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- At a minimum, the AAA protocol MUST support, or be easily extended to ../data/rfc/rfc3169.txt- support, the set of attributes supported by RADIUS [RADIUS] and ../data/rfc/rfc3169.txt: RADIUS Accounting [RADIUS-ACCOUNTING]. If the base AAA protocol does ../data/rfc/rfc3169.txt- not support this complete set of attributes, then an extension to ../data/rfc/rfc3169.txt- that protocol MUST be defined which supports this set. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- -- ../data/rfc/rfc3169.txt-RFC 3169 Criteria for Evaluating NAS Protocols September 2001 ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- MUST support selective encryption of attributes on an attribute-by- ../data/rfc/rfc3169.txt- attribute basis, even within the same message. This requirement ../data/rfc/rfc3169.txt: applies equally to Authentication, Authorization, and Accounting ../data/rfc/rfc3169.txt- data. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.2. Authentication and User Security Requirements ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.2.1. Authentication protocol requirements -- ../data/rfc/rfc3169.txt- concurrent usage limits, port usage limits, and tunnel limits. This ../data/rfc/rfc3169.txt- capability should have error detection and synchronization features ../data/rfc/rfc3169.txt- that will recover state after network and system failures. This may ../data/rfc/rfc3169.txt- be accomplished by session information timeouts and explicit interim ../data/rfc/rfc3169.txt- status and disconnect messages. There should not be any dependencies ../data/rfc/rfc3169.txt: on the Accounting message stream, as per current practices. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- -- ../data/rfc/rfc3169.txt- authenticate compulsory tunnels, the AAA protocol MUST provide a ../data/rfc/rfc3169.txt- means of securing the credentials from end-to-end of the AAA ../data/rfc/rfc3169.txt- conversation. The AAA protocol MUST also provide protection against ../data/rfc/rfc3169.txt- replay attacks in this situation. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4. Accounting and Auditing Requirements ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1. Accounting Protocol Requirements ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.4.1.1. Guaranteed Delivery ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: The accounting and auditing functions of the AAA protocol are used ../data/rfc/rfc3169.txt- for network planning, resource management, policy decisions, and ../data/rfc/rfc3169.txt- other functions that require accurate knowledge of the state of the ../data/rfc/rfc3169.txt- NAS. NAS operators need to be able to engineer their network usage ../data/rfc/rfc3169.txt- measurement systems to a predictable level of accuracy. Therefore, ../data/rfc/rfc3169.txt- an AAA protocol MUST provide a means of guaranteed delivery of ../data/rfc/rfc3169.txt: accounting information between the NAS and the AAA Server(s). ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1.2. Real Time Accounting ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- NAS operators often require a real time view onto the status of ../data/rfc/rfc3169.txt- sessions served by a NAS. Therefore, the AAA protocol MUST support ../data/rfc/rfc3169.txt: real-time delivery of accounting and auditing information. In this ../data/rfc/rfc3169.txt: context, real time is defined as accounting information delivery ../data/rfc/rfc3169.txt- beginning within one second of the triggering event. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1.3. Batch Accounting ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: The AAA protocol SHOULD also support delivery of stored accounting ../data/rfc/rfc3169.txt- and auditing information in batches (non-real time). ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- -- ../data/rfc/rfc3169.txt-Beadles & Mitton Informational [Page 11] ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-RFC 3169 Criteria for Evaluating NAS Protocols September 2001 ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1.4. Accounting Time Stamps ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: There may be delays associated with the delivery of accounting ../data/rfc/rfc3169.txt- information. The NAS operator will desire to know the time an event ../data/rfc/rfc3169.txt- actually occurred, rather than simply the time when notification of ../data/rfc/rfc3169.txt- the event was received. Therefore, the AAA protocol MUST carry an ../data/rfc/rfc3169.txt: unambiguous time stamp associated with each accounting event. This ../data/rfc/rfc3169.txt- time stamp MUST be unambiguous with regard to time zone. Note that ../data/rfc/rfc3169.txt- this assumes that the NAS has access to a reliable time source. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1.5. Accounting Events ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: At a minimum, the AAA protocol MUST support delivery of accounting ../data/rfc/rfc3169.txt- information triggered by the following events: ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Start of a user session ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - End of a user session ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Expiration of a predetermined repeating time interval during a ../data/rfc/rfc3169.txt- user session. The AAA protocol MUST provide a means for the ../data/rfc/rfc3169.txt- AAA server to request that a NAS use a certain interval ../data/rfc/rfc3169.txt: accounting time. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Dynamic re-authorization during a user session (e.g., new ../data/rfc/rfc3169.txt- resources being delivered to the user) ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Dynamic re-authentication during a user session ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.1.6. On-Demand Accounting ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- NAS operators need to maintain an accurate view onto the status of ../data/rfc/rfc3169.txt- sessions served by a NAS, even through failure of an AAA server. ../data/rfc/rfc3169.txt- Therefore, the AAA protocol MUST support a means of requesting ../data/rfc/rfc3169.txt: current session state and accounting from the NAS on demand. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.2. Accounting Attribute Requirements ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- At a minimum, the AAA protocol MUST support delivery of the following ../data/rfc/rfc3169.txt: types of accounting/auditing data: ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - All parameters used to authenticate a session. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Details of the authorization profile that was applied to the ../data/rfc/rfc3169.txt- session. -- ../data/rfc/rfc3169.txt- the session. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- - Details of the access protocol used during the session (port ../data/rfc/rfc3169.txt- type, connect speeds, etc.) ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt:5.4.3. Accounting Protocol Security Requirements ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.4.3.1. Integrity and Confidentiality ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: Note that accounting and auditing data are operationally sensitive ../data/rfc/rfc3169.txt- information. The AAA protocol MUST provide a means to assure end- ../data/rfc/rfc3169.txt- to-end integrity of this data. The AAA protocol SHOULD provide a ../data/rfc/rfc3169.txt- means of assuring the end-to-end confidentiality of this data. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-5.4.3.2. Auditibility ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: Network operators use accounting data for network planning, resource ../data/rfc/rfc3169.txt- management, and other business-critical functions that require ../data/rfc/rfc3169.txt- confidence in the correctness of this data. The AAA protocol SHOULD ../data/rfc/rfc3169.txt: provide a mechanism to ensure that the source of accounting data ../data/rfc/rfc3169.txt- cannot easily repudiate this data after transmission. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-6. Device Management Protocols ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- This document does not specify any requirements for device management -- ../data/rfc/rfc3169.txt-Beadles & Mitton Informational [Page 15] ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt-RFC 3169 Criteria for Evaluating NAS Protocols September 2001 ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt: [RADIUS-ACCOUNTING] Rigney, C., "RADIUS Accounting", RFC 2139, ../data/rfc/rfc3169.txt- April 1997. ../data/rfc/rfc3169.txt- ../data/rfc/rfc3169.txt- [ROAMING-REQUIREMENTS] Aboba, B. and G. Zorn, "Criteria for ../data/rfc/rfc3169.txt- Evaluating Roaming Protocols", RFC 2477, ../data/rfc/rfc3169.txt- January 1999. -- ../data/rfc/rfc1470.txt- interface. ../data/rfc/rfc1470.txt- ../data/rfc/rfc1470.txt- MECHANISM ../data/rfc/rfc1470.txt- SAS/CPE for Open Systems processes and reports data ../data/rfc/rfc1470.txt- from SNMP and other proprietary monitoring protocols, ../data/rfc/rfc1470.txt: as well as du and accounting. ../data/rfc/rfc1470.txt- ../data/rfc/rfc1470.txt- CAVEATS ../data/rfc/rfc1470.txt- The product is currently in alpha testing. ../data/rfc/rfc1470.txt- ../data/rfc/rfc1470.txt- BUGS -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-CHAP-Domain Attribute indicates the Windows NT domain in ../data/rfc/rfc2548.txt- which the user was authenticated. It MAY be included in both ../data/rfc/rfc2548.txt: Access-Accept and Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-CHAP-Domain Attribute format is given below. The ../data/rfc/rfc2548.txt- fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- 0 1 2 3 -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-RAS-Vendor Attribute is used to indicate the manufacturer ../data/rfc/rfc2548.txt- of the RADIUS client machine. It MAY be included in both Access- ../data/rfc/rfc2548.txt: Request and Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-RAS-Vendor Attribute format is given below. The ../data/rfc/rfc2548.txt- fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- 0 1 2 3 -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt-RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- sent in packets which do not contain an MS-RAS-Vendor Attribute. ../data/rfc/rfc2548.txt: It MAY be included in both Access-Request and Accounting-Request ../data/rfc/rfc2548.txt- packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-RAS-Version Attribute format is given below. The ../data/rfc/rfc2548.txt- fields are transmitted left to right. ../data/rfc/rfc2548.txt- -- ../data/rfc/rfc2548.txt-2.7.3. MS-Filter ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Filter Attribute is used to transmit traffic filters. It ../data/rfc/rfc2548.txt: MAY be included in both Access-Accept and Accounting-Request ../data/rfc/rfc2548.txt- packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- If multiple MS-Filter Attributes are contained within a packet, ../data/rfc/rfc2548.txt- they MUST be in order and they MUST be consecutive attributes in ../data/rfc/rfc2548.txt- the packet. -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Acct-Auth-Type Attribute is used to represent the method ../data/rfc/rfc2548.txt- used to authenticate the dial-up user. It MAY be included in ../data/rfc/rfc2548.txt: Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Acct-Auth-Type Attribute format is given below. ../data/rfc/rfc2548.txt- The fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- 0 1 2 3 -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Acct-EAP-Type Attribute is used to represent the Extensible ../data/rfc/rfc2548.txt- Authentication Protocol (EAP) [15] type used to authenticate the ../data/rfc/rfc2548.txt: dial-up user. It MAY be included in Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Acct-EAP-Type Attribute format is given below. ../data/rfc/rfc2548.txt- The fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- 0 1 2 3 -- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Primary-DNS-Server Attribute is used to indicate the ../data/rfc/rfc2548.txt- address of the primary Domain Name Server (DNS) [16, 17] server to ../data/rfc/rfc2548.txt- be used by the PPP peer. It MAY be included in both Access-Accept ../data/rfc/rfc2548.txt: and Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Primary-DNS-Server Attribute format is given ../data/rfc/rfc2548.txt- below. The fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Secondary-DNS-Server Attribute is used to indicate the ../data/rfc/rfc2548.txt- address of the secondary DNS server to be used by the PPP peer. ../data/rfc/rfc2548.txt: It MAY be included in both Access-Accept and Accounting-Request ../data/rfc/rfc2548.txt- packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Secondary-DNS-Server Attribute format is given ../data/rfc/rfc2548.txt- below. The fields are transmitted left to right. ../data/rfc/rfc2548.txt- -- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Primary-NBNS-Server Attribute is used to indicate the ../data/rfc/rfc2548.txt- address of the primary NetBIOS Name Server (NBNS) [18] server to ../data/rfc/rfc2548.txt- be used by the PPP peer. It MAY be included in both Access-Accept ../data/rfc/rfc2548.txt: and Accounting-Request packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Primary-MBNS-Server Attribute format is given ../data/rfc/rfc2548.txt- below. The fields are transmitted left to right. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- 0 1 2 3 -- ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- Description ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- The MS-Secondary-NBNS-Server Attribute is used to indicate the ../data/rfc/rfc2548.txt- address of the secondary DNS server to be used by the PPP peer. ../data/rfc/rfc2548.txt: It MAY be included in both Access-Accept and Accounting-Request ../data/rfc/rfc2548.txt- packets. ../data/rfc/rfc2548.txt- ../data/rfc/rfc2548.txt- A summary of the MS-Secondary-NBNS-Server Attribute format is given ../data/rfc/rfc2548.txt- below. The fields are transmitted left to right. ../data/rfc/rfc2548.txt- -- ../data/rfc/rfc5563.txt- more detail. The PPP/IPCP (IP Control Protocol) protocol involves a ../data/rfc/rfc5563.txt- PPP client in the mobile device and a Network Access Server (NAS) in ../data/rfc/rfc5563.txt- the AR. DHCP involves a DHCP client in the MN and a DHCP server in ../data/rfc/rfc5563.txt- either the AR or the HA. PMIPv4 involves a PMA in the AR and an HA ../data/rfc/rfc5563.txt- in the router on the home network. The Authentication, ../data/rfc/rfc5563.txt: Authorization, and Accounting (AAA) protocol involves a AAA client in ../data/rfc/rfc5563.txt- the AR and a AAA server in the network. The collocation of the ../data/rfc/rfc5563.txt- functional entities in the AR/HA enables parameters to be ../data/rfc/rfc5563.txt- shared/processed among the protocols. ../data/rfc/rfc5563.txt- ../data/rfc/rfc5563.txt- When the various network entities are not collocated, any sharing of -- ../data/rfc/rfc6610.txt- ../data/rfc/rfc6610.txt-4.4. Home Agent Discovery Using a Network Access Server ../data/rfc/rfc6610.txt- ../data/rfc/rfc6610.txt- [RFC5447] describes the complete procedure for home agent assignment ../data/rfc/rfc6610.txt- among the mobile node, NAS (Network Access Server), DHCP, and ../data/rfc/rfc6610.txt: Authentication, Authorization, and Accounting (AAA) entities for the ../data/rfc/rfc6610.txt- bootstrapping procedure in the integrated scenario. ../data/rfc/rfc6610.txt- ../data/rfc/rfc6610.txt- A NAS is assumed to be co-located with a DHCP relay agent or a DHCP ../data/rfc/rfc6610.txt- server in this solution. In a network where the NAS is not ../data/rfc/rfc6610.txt- co-located with a DHCP relay or a server, the server may not be -- ../data/rfc/rfc1716.txt-essential part of any router implementation. Although these functions ../data/rfc/rfc1716.txt-do not seem to relate directly to interoperability, they are essential ../data/rfc/rfc1716.txt-to the network manager who must make the router interoperate and must ../data/rfc/rfc1716.txt-track down problems when it doesn't. This chapter also includes some ../data/rfc/rfc1716.txt-discussion of router initialization and of facilities to assist network ../data/rfc/rfc1716.txt:managers in securing and accounting for their networks. ../data/rfc/rfc1716.txt- ../data/rfc/rfc1716.txt-10.1 Introduction ../data/rfc/rfc1716.txt- ../data/rfc/rfc1716.txt- The following kinds of activities are included under router O&M: ../data/rfc/rfc1716.txt- -- ../data/rfc/rfc1716.txt- Having the ability to track who made changes and when is ../data/rfc/rfc1716.txt- highly desirable, especially if your packets suddenly ../data/rfc/rfc1716.txt- start getting routed through Alaska on their way across ../data/rfc/rfc1716.txt- town. ../data/rfc/rfc1716.txt- ../data/rfc/rfc1716.txt: (2) Packet Accounting ../data/rfc/rfc1716.txt- ../data/rfc/rfc1716.txt- Vendors should strongly consider providing a system for ../data/rfc/rfc1716.txt- tracking traffic levels between pairs of hosts or networks. ../data/rfc/rfc1716.txt- A mechanism for limiting the collection of this information ../data/rfc/rfc1716.txt- to specific pairs of hosts or networks is also strongly -- ../data/rfc/rfc3145.txt- This document provides an extension to the Layer 2 Tunneling Protocol ../data/rfc/rfc3145.txt- ("L2TP"), a mechanism for tunneling Point-to-Point Protocol (PPP) ../data/rfc/rfc3145.txt- sessions. L2TP lacks a mechanism for a host to provide PPP-related ../data/rfc/rfc3145.txt- disconnect cause information to another host. This information, ../data/rfc/rfc3145.txt- provided by the extension described in this document, can be useful ../data/rfc/rfc3145.txt: for accounting and debugging purposes. ../data/rfc/rfc3145.txt- ../data/rfc/rfc3145.txt-1. Introduction ../data/rfc/rfc3145.txt- ../data/rfc/rfc3145.txt- L2TP [1] defines a general-purpose mechanism for tunneling PPP over ../data/rfc/rfc3145.txt- various media. By design, it insulates L2TP operation from the -- ../data/rfc/rfc7480.txt- send to a client. While no standard HTTP response code is forbidden ../data/rfc/rfc7480.txt- in usage, this section defines the minimal set of response codes in ../data/rfc/rfc7480.txt- common use by servers that a client will need to understand. While ../data/rfc/rfc7480.txt- some clients may be constructed with simple tooling that does not ../data/rfc/rfc7480.txt- account for all of these response codes, a more robust client ../data/rfc/rfc7480.txt: accounting for these codes will likely provide a better user ../data/rfc/rfc7480.txt- experience. It is expected that usage of response codes and types ../data/rfc/rfc7480.txt- for this application not defined here will be described in subsequent ../data/rfc/rfc7480.txt- documents. ../data/rfc/rfc7480.txt- ../data/rfc/rfc7480.txt-5.1. Positive Answers -- ../data/rfc/rfc3198.txt- and referenced. These non-policy terms will not be defined in this ../data/rfc/rfc3198.txt- document, and the reader is requested to go to the referenced ISD for ../data/rfc/rfc3198.txt- additional detail. ../data/rfc/rfc3198.txt- ../data/rfc/rfc3198.txt- $ AAA ../data/rfc/rfc3198.txt: See "Authentication, Authorization, Accounting". ../data/rfc/rfc3198.txt- ../data/rfc/rfc3198.txt- $ abstraction levels ../data/rfc/rfc3198.txt- See "policy abstraction". ../data/rfc/rfc3198.txt- ../data/rfc/rfc3198.txt- $ action ../data/rfc/rfc3198.txt- See "policy action". ../data/rfc/rfc3198.txt- ../data/rfc/rfc3198.txt: $ Authentication, Authorization, Accounting (AAA) ../data/rfc/rfc3198.txt- (A) AAA deals with control, authentication, authorization and ../data/rfc/rfc3198.txt: accounting of systems and environments based on policies set ../data/rfc/rfc3198.txt- by the administrators and users of the systems. The use of ../data/rfc/rfc3198.txt- policy may be implicit - as defined by RADIUS [RFC2138]. In ../data/rfc/rfc3198.txt- RADIUS, a network access server sends dial-user credentials to ../data/rfc/rfc3198.txt- an AAA server, and receives authentication that the user is ../data/rfc/rfc3198.txt- -- ../data/rfc/rfc5779.txt- Local Mobility Anchor Interaction with Diameter Server ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt-Abstract ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- This specification defines Authentication, Authorization, and ../data/rfc/rfc5779.txt: Accounting (AAA) interactions between Proxy Mobile IPv6 entities ../data/rfc/rfc5779.txt- (both Mobile Access Gateway and Local Mobility Anchor) and a AAA ../data/rfc/rfc5779.txt- server within a Proxy Mobile IPv6 Domain. These AAA interactions are ../data/rfc/rfc5779.txt- primarily used to download and update mobile node specific policy ../data/rfc/rfc5779.txt- profile information between Proxy Mobile IPv6 entities and a remote ../data/rfc/rfc5779.txt- policy store. -- ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt-1. Introduction ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- This specification defines Authentication, Authorization, and ../data/rfc/rfc5779.txt: Accounting (AAA) interactions between a Mobile Access Gateway (MAG) ../data/rfc/rfc5779.txt- and a AAA server, and between a Local Mobility Anchor (LMA) and a AAA ../data/rfc/rfc5779.txt- server within a Proxy Mobile IPv6 (PMIPv6) Domain [RFC5213]. These ../data/rfc/rfc5779.txt- AAA interactions are primarily used to download and update mobile ../data/rfc/rfc5779.txt- node (MN) specific policy profile information between PMIPv6 entities ../data/rfc/rfc5779.txt- (a MAG and an LMA) and a remote policy store. -- ../data/rfc/rfc5779.txt-RFC 5779 Diameter Support for Proxy Mobile IPv6 February 2010 ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- Home AAA (HAAA): ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt: An Authentication, Authorization, and Accounting (AAA) server ../data/rfc/rfc5779.txt- located in user's home network. A HAAA is essentially a Diameter ../data/rfc/rfc5779.txt- server. ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt-3. Solution Overview ../data/rfc/rfc5779.txt- -- ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- The MAG-to-HAAA interactions are primarily used for bootstrapping ../data/rfc/rfc5779.txt- PMIPv6 mobility service session when an MN attaches and authenticates ../data/rfc/rfc5779.txt- to a PMIPv6 Domain. This includes the bootstrapping of PMIPv6 ../data/rfc/rfc5779.txt- session-related information. The same interface may also be used for ../data/rfc/rfc5779.txt: accounting. The MAG acts as a Diameter client. ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- Whenever the MAG sends a Diameter request message to the HAAA, the ../data/rfc/rfc5779.txt- User-Name AVP SHOULD contain the MN's identity unless the identity is ../data/rfc/rfc5779.txt- being suppressed for policy reasons -- for example, when identity ../data/rfc/rfc5779.txt- hiding is in effect. The MN identity, if available, MUST be in -- ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- The LMA-to-HAAA interface may be used for multiple purposes. These ../data/rfc/rfc5779.txt- include the authorization of the incoming PBU, updating the LMA ../data/rfc/rfc5779.txt- address to the HAAA, delegating the assignment of the MN-HNP (home ../data/rfc/rfc5779.txt- network prefix) or the IPv4-HoA (home address) to the HAAA, and for ../data/rfc/rfc5779.txt: accounting and PMIPv6 session management. The primary purpose of ../data/rfc/rfc5779.txt- this interface is to update the HAAA with the LMA address information ../data/rfc/rfc5779.txt- in case of dynamically assigned LMA, and exchange the MN address ../data/rfc/rfc5779.txt- assignment information between the LMA and the HAAA. ../data/rfc/rfc5779.txt- ../data/rfc/rfc5779.txt- The LMA-to-HAAA interface description is intended for different types -- ../data/rfc/rfc5879.txt- Section 3 discusses failure modes of the heuristics. An attacker can ../data/rfc/rfc5879.txt- poison flows, tricking inspectors into ignoring legitimate ESP-NULL ../data/rfc/rfc5879.txt- flows, but that is no worse than injecting fuzz. ../data/rfc/rfc5879.txt- ../data/rfc/rfc5879.txt- Forcing the use of ESP-NULL everywhere inside the enterprise, so that ../data/rfc/rfc5879.txt: accounting, logging, network monitoring, and intrusion detection all ../data/rfc/rfc5879.txt- work, increases the risk of sending confidential information where ../data/rfc/rfc5879.txt- eavesdroppers can see it. ../data/rfc/rfc5879.txt- ../data/rfc/rfc5879.txt-10. References ../data/rfc/rfc5879.txt- -- ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- The ability to detect denial of service (DoS) attacks against the ../data/rfc/rfc4377.txt- data or control planes MUST be part of any security management ../data/rfc/rfc4377.txt- related to MPLS OAM tools or techniques. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt:4.11. Per-LSP Accounting Requirements ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- In an MPLS network, service providers can measure traffic from an LSR ../data/rfc/rfc4377.txt- to the egress of the network using some MPLS related MIBs, for ../data/rfc/rfc4377.txt- example. This means that it is reasonable to know how much traffic ../data/rfc/rfc4377.txt- is traveling from location to location (i.e., a traffic matrix) by ../data/rfc/rfc4377.txt: analyzing the flow of traffic. Therefore, traffic accounting in an ../data/rfc/rfc4377.txt- MPLS network can be summarized as the following three items: ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- (1) Collecting information to design network ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- For the purpose of optimized network design, a service -- ../data/rfc/rfc4377.txt- (2) Providing a Service Level Specification ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- Providers and their customers MAY need to verify high-level ../data/rfc/rfc4377.txt- service level specifications, either to continuously optimize ../data/rfc/rfc4377.txt- their networks, or to offer guaranteed bandwidth services. ../data/rfc/rfc4377.txt: Therefore, traffic accounting to monitor MPLS applications is ../data/rfc/rfc4377.txt- required. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- (3) Inter-AS environment ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- Service providers that offer inter-AS services require ../data/rfc/rfc4377.txt: accounting of those services. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- These three motivations need to satisfy the following: ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- - In (1) and (2), collection of information on a per-LSP ../data/rfc/rfc4377.txt- basis is a minimum level of granularity for collecting ../data/rfc/rfc4377.txt: accounting information at both of ingress and egress of an ../data/rfc/rfc4377.txt- LSP. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- - In (3), SP's ASBR carry out interconnection functions as an ../data/rfc/rfc4377.txt- intermediate LSR. Therefore, identifying a pair of ingress ../data/rfc/rfc4377.txt- and egress LSRs using each LSP is needed to determine the -- ../data/rfc/rfc4377.txt-RFC 4377 OAM Requirements for MPLS Networks February 2006 ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt-4.11.1. Requirements ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt: Accounting on a per-LSP basis encompasses the following set of ../data/rfc/rfc4377.txt- functions: ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt: (1) At an ingress LSR, accounting of traffic through LSPs that ../data/rfc/rfc4377.txt- begin at each egress in question. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt: (2) At an intermediate LSR, accounting of traffic through LSPs for ../data/rfc/rfc4377.txt- each pair of ingress to egress. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt: (3) At egress LSR, accounting of traffic through LSPs for each ../data/rfc/rfc4377.txt- ingress. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- (4) All LSRs containing LSPs that are being measured need to have ../data/rfc/rfc4377.txt- a common identifier to distinguish each LSP. The identifier ../data/rfc/rfc4377.txt- MUST be unique to each LSP, and its mapping to LSP SHOULD be -- ../data/rfc/rfc4377.txt- reading traffic counters for the label stack associated with the ../data/rfc/rfc4377.txt- LSP at any LSR along its path. However, in order to measure ../data/rfc/rfc4377.txt- merged LSPs, an LSR MUST have a means to distinguish the source of ../data/rfc/rfc4377.txt- each flow so as to disambiguate the statistics. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt:4.11.2. Location of Accounting ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- It is not realistic for LSRs to perform the described operations on ../data/rfc/rfc4377.txt- all LSPs that exist in a network. At a minimum, per-LSP based ../data/rfc/rfc4377.txt: accounting SHOULD be performed on the edges of the network -- at the ../data/rfc/rfc4377.txt- edges of both LSPs and the MPLS domain. ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt-5. Security Considerations ../data/rfc/rfc4377.txt- ../data/rfc/rfc4377.txt- Provisions to any of the network mechanisms designed to satisfy the -- ../data/rfc/rfc3929.txt- gravity of invoking these methods and partially to ensure that the ../data/rfc/rfc3929.txt- IETF community as a whole is alerted to and kept informed of the ../data/rfc/rfc3929.txt- process. Note that alternate procedures have been used in the past; ../data/rfc/rfc3929.txt- see [RFC3127] for a description of that used in the decision between ../data/rfc/rfc3929.txt- two competing candidate protocols for Authentication, Authorization, ../data/rfc/rfc3929.txt: and Accounting. By setting out these proposals, this document does ../data/rfc/rfc3929.txt- not intend to limit working group choice but intends to provide a set ../data/rfc/rfc3929.txt- of well-defined processes that obviate the need for reinvention in ../data/rfc/rfc3929.txt- most cases. ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt- -- ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt-8.2. Informative References ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt- [RFC3127] Mitton, D., StJohns, M., Barkley, S., Nelson, D., Patil, ../data/rfc/rfc3929.txt- B., Stevens, M., and B. Wolff, "Authentication, ../data/rfc/rfc3929.txt: Authorization, and Accounting: Protocol Evaluation", RFC ../data/rfc/rfc3929.txt- 3127, June 2001. ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt- ../data/rfc/rfc3929.txt-Hardie Experimental [Page 9] -- ../data/rfc/rfc5851.txt- 3.2. Access-Loop Configuration . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc5851.txt- 3.3. Remote Connectivity Test . . . . . . . . . . . . . . . . . 16 ../data/rfc/rfc5851.txt- 3.4. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 17 ../data/rfc/rfc5851.txt- 3.4.1. Multicast Conditional Access . . . . . . . . . . . . . 18 ../data/rfc/rfc5851.txt- 3.4.2. Multicast Admission Control . . . . . . . . . . . . . 21 ../data/rfc/rfc5851.txt: 3.4.3. Multicast Accounting and Reporting . . . . . . . . . . 26 ../data/rfc/rfc5851.txt- 3.4.4. Spontaneous Admission Response . . . . . . . . . . . . 27 ../data/rfc/rfc5851.txt- 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 28 ../data/rfc/rfc5851.txt- 4.1. ANCP Functional Requirements . . . . . . . . . . . . . . . 28 ../data/rfc/rfc5851.txt- 4.2. ANCP Multicast Requirements . . . . . . . . . . . . . . . 29 ../data/rfc/rfc5851.txt- 4.3. Protocol Design Requirements . . . . . . . . . . . . . . . 30 -- ../data/rfc/rfc5851.txt- (or a specific circuit on an Access Port) using an addressing scheme. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- In deployments using an ATM aggregation network, the ATM PVC on an ../data/rfc/rfc5851.txt- access loop connects the subscriber to a NAS. Based on this ../data/rfc/rfc5851.txt- property, the NAS typically includes a NAS-Port-Id, NAS-Port, or ../data/rfc/rfc5851.txt: Calling-Station-Id attribute in RADIUS authentication and accounting ../data/rfc/rfc5851.txt- packets sent to the RADIUS server(s). Such attribute includes the ../data/rfc/rfc5851.txt- identification of the ATM VC for this subscriber, which allows in ../data/rfc/rfc5851.txt- turn identifying the access loop. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- In an Ethernet-based aggregation network, a new addressing scheme is -- ../data/rfc/rfc5851.txt- Control check for the new multicast flow and responds to the AN ../data/rfc/rfc5851.txt- indicating whether the join is to be denied or honored (and hence ../data/rfc/rfc5851.txt- replication performed by the AN). The NAS may locally keep track ../data/rfc/rfc5851.txt- of the portion of the access-loop net data rate that is available ../data/rfc/rfc5851.txt- for (unicast or multicast) video flows and perform video bandwidth ../data/rfc/rfc5851.txt: accounting for the access loop. Upon receiving an Admission ../data/rfc/rfc5851.txt- Request from the AN, the NAS can check available access-loop ../data/rfc/rfc5851.txt- bandwidth before admitting or denying the multicast flow. In the ../data/rfc/rfc5851.txt- process, the NAS may communicate with the policy server. For ../data/rfc/rfc5851.txt- unicast video services such as Video on Demand (VoD), the NAS may ../data/rfc/rfc5851.txt- also be queried (by a policy server or via on-path CAC signaling), -- ../data/rfc/rfc5851.txt- Some network deployments may combine the use of white list, black ../data/rfc/rfc5851.txt- list, and grey list. The implications of such a model to the overall ../data/rfc/rfc5851.txt- Multicast Admission Control model are not fully explored in this ../data/rfc/rfc5851.txt- document. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt:3.4.3. Multicast Accounting and Reporting ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: It may be desirable to perform time- and/or volume-based accounting ../data/rfc/rfc5851.txt- for certain multicast flows sent on particular Access Ports. In case ../data/rfc/rfc5851.txt- the AN is performing the traffic replication process, it knows when ../data/rfc/rfc5851.txt- replication of a multicast flow to a particular Access Port or user ../data/rfc/rfc5851.txt: start and stops. Multicast accounting can be addressed in two ways: ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- o The AN keeps track of when replication for a given multicast flow ../data/rfc/rfc5851.txt- starts or ends on a specified Access Port, and generates time- ../data/rfc/rfc5851.txt: and/or volume-based accounting information per Access Port and per ../data/rfc/rfc5851.txt: multicast flow, before sending it to a central accounting system ../data/rfc/rfc5851.txt: for logging. Given that the AN communicates with the accounting ../data/rfc/rfc5851.txt- system directly, the approach doesn't require the use of ANCP. It ../data/rfc/rfc5851.txt- is therefore beyond the scope of this document; ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- o The AN keeps track of when replication for a given multicast flow ../data/rfc/rfc5851.txt- starts or ends on a specified Access Port, and reports this ../data/rfc/rfc5851.txt- information to the NAS for further processing. In this case, ANCP ../data/rfc/rfc5851.txt- can be used to send the information from the AN to the NAS. This ../data/rfc/rfc5851.txt- will be discussed in the remainder of this document. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: The Access Node can send multicast accounting information to the NAS ../data/rfc/rfc5851.txt- using the Information Report message. A distinction can be made ../data/rfc/rfc5851.txt- between two cases: ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: o Basic accounting information: the Access Node informs the NAS ../data/rfc/rfc5851.txt- whenever replication starts or ends for a given multicast flow on ../data/rfc/rfc5851.txt- a particular Access Port; ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: o Detailed accounting information: the Access Node not only informs ../data/rfc/rfc5851.txt- the NAS when replication starts or ends, but also informs the NAS ../data/rfc/rfc5851.txt- about the multicast traffic volume replicated on the Access Port ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- -- ../data/rfc/rfc5851.txt- for that multicast flow. This is done by adding a byte count in ../data/rfc/rfc5851.txt- the Information Report message that is sent to the NAS when ../data/rfc/rfc5851.txt- replication ends. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- Upon receiving the Information Report messages, the NAS generates the ../data/rfc/rfc5851.txt: appropriate time- and/or volume-based accounting records per access ../data/rfc/rfc5851.txt: loop and per multicast flow to be sent to the accounting system. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: The NAS should inform the Access Node about the type of accounting ../data/rfc/rfc5851.txt- needed for a given multicast flow on a particular Access Port: ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- o No reporting messages need to be sent to the NAS. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: o Basic accounting is required. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: o Detailed accounting is required. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- Note that in case of very fast channel changes, the amount of ../data/rfc/rfc5851.txt- Information Report messages to be sent to the NAS could become high. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- The ANCP requirements to support this use case are specified below in -- ../data/rfc/rfc5851.txt- R-18 The ANCP MUST allow the AN to send an Information Report ../data/rfc/rfc5851.txt- message to the NAS indicating the multicast traffic volume that ../data/rfc/rfc5851.txt- has been replicated on that port. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- R-19 The ANCP MUST allow the NAS to indicate to the AN whether or ../data/rfc/rfc5851.txt: not multicast accounting is needed for a multicast flow on a ../data/rfc/rfc5851.txt- particular Access Port. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: R-20 In case multicast accounting is needed for a multicast flow on ../data/rfc/rfc5851.txt- a particular Access Port, the ANCP MUST allow the NAS to ../data/rfc/rfc5851.txt: indicate to the AN whether or not additional volume accounting ../data/rfc/rfc5851.txt- information is required. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- R-21 The ANCP MUST allow the NAS to revoke a decision to replicate a ../data/rfc/rfc5851.txt- multicast flow to a particular Access Port, which had been ../data/rfc/rfc5851.txt- conveyed earlier to an AN. -- ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- R-103 The NAS must support using ANCP to incrementally add, remove, ../data/rfc/rfc5851.txt- and modify individual entries in white, black, and grey lists. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- R-104 The NAS must support using ANCP to indicate to the AN whether ../data/rfc/rfc5851.txt: or not multicast accounting is needed for a multicast flow on ../data/rfc/rfc5851.txt- a particular Access Port. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt: R-105 In case multicast accounting is needed for a multicast flow on ../data/rfc/rfc5851.txt- a particular Access Port, the NAS should support using ANCP to ../data/rfc/rfc5851.txt: indicate to the AN whether or not additional volume accounting ../data/rfc/rfc5851.txt- information is required. ../data/rfc/rfc5851.txt- ../data/rfc/rfc5851.txt- R-106 The NAS must support using ANCP to query the AN to obtain ../data/rfc/rfc5851.txt- information on what multicast flows are currently replicated ../data/rfc/rfc5851.txt- on a given Access Port. -- ../data/rfc/rfc8280.txt- Explanation: Certain technical choices may have unintended ../data/rfc/rfc8280.txt- consequences. ../data/rfc/rfc8280.txt- ../data/rfc/rfc8280.txt- Example: Lack of authenticity may lead to lack of integrity and ../data/rfc/rfc8280.txt- negative externalities; spam is an example. Lack of data that ../data/rfc/rfc8280.txt: could be used for billing and accounting can lead to so-called ../data/rfc/rfc8280.txt- "free" arrangements that obscure the actual costs and distribution ../data/rfc/rfc8280.txt- of the costs -- for example, (1) the barter arrangements that are ../data/rfc/rfc8280.txt- commonly used for Internet interconnection and (2) the commercial ../data/rfc/rfc8280.txt- exploitation of personal data for targeted advertising, which is ../data/rfc/rfc8280.txt- the most common funding model for the so-called "free" services -- ../data/rfc/rfc6937.txt- PRR does not change the risk profile for TCP. ../data/rfc/rfc6937.txt- ../data/rfc/rfc6937.txt- Implementers that change PRR from counting bytes to segments have to ../data/rfc/rfc6937.txt- be cautious about the effects of ACK splitting attacks [Savage99], ../data/rfc/rfc6937.txt- where the receiver acknowledges partial segments for the purpose of ../data/rfc/rfc6937.txt: confusing the sender's congestion accounting. ../data/rfc/rfc6937.txt- ../data/rfc/rfc6937.txt-9. References ../data/rfc/rfc6937.txt- ../data/rfc/rfc6937.txt-9.1. Normative References ../data/rfc/rfc6937.txt- -- ../data/rfc/rfc2093.txt- use of multicast communications protocols. ../data/rfc/rfc2093.txt- ../data/rfc/rfc2093.txt-1 Background ../data/rfc/rfc2093.txt- ../data/rfc/rfc2093.txt- Traditional key management distribution has mimicked the military ../data/rfc/rfc2093.txt: paper based key accounting system. Key was distributed, ordered, and ../data/rfc/rfc2093.txt- accounted physically leading to large lead times and expensive ../data/rfc/rfc2093.txt- operations. ../data/rfc/rfc2093.txt- ../data/rfc/rfc2093.txt- Cooperative key management algorithms exist that allow pairwise keys ../data/rfc/rfc2093.txt- to be generated between two equipment's. This gives the a quicker -- ../data/rfc/rfc3499.txt- Policy Service with Policy ../data/rfc/rfc3499.txt- Provisioning (COPS-PR) ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt-Common Open Policy Services (COPS) Protocol (RFC 2748), defines the ../data/rfc/rfc3499.txt-capability of reporting information to the Policy Decision Point (PDP). ../data/rfc/rfc3499.txt:The types of report information are success, failure and accounting of ../data/rfc/rfc3499.txt-an installed state. This document focuses on the COPS Report Type of ../data/rfc/rfc3499.txt:Accounting and the necessary framework for the monitoring and reporting ../data/rfc/rfc3499.txt-of usage feedback for an installed state. This memo provides ../data/rfc/rfc3499.txt-information for the Internet community. ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt-3482 Foster Feb 2003 Number Portability in the -- ../data/rfc/rfc3499.txt-specific issues to be carefully evaluated before creating an UNSAF ../data/rfc/rfc3499.txt-proposal. This memo provides information for the Internet community. ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt-3423 Zhang Nov 2002 XACCT's Common Reliable ../data/rfc/rfc3499.txt: Accounting for Network Element ../data/rfc/rfc3499.txt- (CRANE) Protocol Specification ../data/rfc/rfc3499.txt- Version 1.0 ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt:This document defines the Common Reliable Accounting for Network Element ../data/rfc/rfc3499.txt-(CRANE) protocol that enables efficient and reliable delivery of any ../data/rfc/rfc3499.txt:data, mainly accounting data from Network Elements to any systems, such ../data/rfc/rfc3499.txt-as mediation systems and Business Support Systems (BSS)/ Operations ../data/rfc/rfc3499.txt-Support Systems (OSS). The protocol is developed to address the ../data/rfc/rfc3499.txt:critical needs for exporting high volume of accounting data from NE's ../data/rfc/rfc3499.txt-with efficient use of network, storage, and processing resources. ../data/rfc/rfc3499.txt- ../data/rfc/rfc3499.txt-This document specifies the architecture of the protocol and the message ../data/rfc/rfc3499.txt-format, which MUST be supported by all CRANE protocol implementations. ../data/rfc/rfc3499.txt-This memo provides information for the Internet community. -- ../data/rfc/rfc4877.txt- TSr} ../data/rfc/rfc4877.txt- ../data/rfc/rfc4877.txt- When EAP is used, the identity presented by the mobile node in the ../data/rfc/rfc4877.txt- IDi field may not be the actual identity of the mobile node. It ../data/rfc/rfc4877.txt- could be set to an identity that is used only for Authentication, ../data/rfc/rfc4877.txt: Authorization, and Accounting (AAA) routing purposes and selecting ../data/rfc/rfc4877.txt- the right EAP method. It is possible that the actual identity is ../data/rfc/rfc4877.txt- ../data/rfc/rfc4877.txt- ../data/rfc/rfc4877.txt- ../data/rfc/rfc4877.txt-Devarapalli & Dupont Standards Track [Page 21] -- ../data/rfc/rfc4687.txt- 4.6. Alarm Suppression, Aggregation, and Layer Coordination .....8 ../data/rfc/rfc4687.txt- 4.7. Support for OAM Interworking for Fault Notification ........8 ../data/rfc/rfc4687.txt- 4.8. Error Detection and Recovery ...............................9 ../data/rfc/rfc4687.txt- 4.9. Standard Management Interfaces .............................9 ../data/rfc/rfc4687.txt- 4.10. Detection of Denial of Service Attacks ...................10 ../data/rfc/rfc4687.txt: 4.11. Per-LSP Accounting Requirements ..........................10 ../data/rfc/rfc4687.txt- 5. Security Considerations ........................................10 ../data/rfc/rfc4687.txt- 6. References .....................................................11 ../data/rfc/rfc4687.txt- 6.1. Normative References ......................................11 ../data/rfc/rfc4687.txt- 6.2. Informative References ....................................11 ../data/rfc/rfc4687.txt- 7. Acknowledgements ...............................................12 -- ../data/rfc/rfc4687.txt- ../data/rfc/rfc4687.txt- The ability to detect denial of service (DoS) attacks against the ../data/rfc/rfc4687.txt- data or control planes that signal P2MP LSPs MUST be part of any ../data/rfc/rfc4687.txt- security management related to MPLS OAM tools or techniques. ../data/rfc/rfc4687.txt- ../data/rfc/rfc4687.txt:4.11. Per-LSP Accounting Requirements ../data/rfc/rfc4687.txt- ../data/rfc/rfc4687.txt- In an MPLS network where P2MP LSPs are in use, Service Providers can ../data/rfc/rfc4687.txt- measure traffic from an LSR to the egress of the network using some ../data/rfc/rfc4687.txt- MPLS-related MIB modules (see section 4.9), for example. Other ../data/rfc/rfc4687.txt- interfaces MAY exist as well and enable the creation of traffic -- ../data/rfc/rfc4687.txt- pairing relationship between an ingress and a single egress. ../data/rfc/rfc4687.txt- Fundamental to understanding traffic flows within a network that ../data/rfc/rfc4687.txt- supports P2MP LSPs will be the knowledge of where the traffic is ../data/rfc/rfc4687.txt- branched for each LSP within the network, that is, where within the ../data/rfc/rfc4687.txt- network the branch nodes for the LSPs are located and what their ../data/rfc/rfc4687.txt: relationship is to links and other LSRs. Traffic flow and accounting ../data/rfc/rfc4687.txt- tools MUST take this fact into account. ../data/rfc/rfc4687.txt- ../data/rfc/rfc4687.txt-5. Security Considerations ../data/rfc/rfc4687.txt- ../data/rfc/rfc4687.txt- This document introduces no new security issues compared with -- ../data/rfc/rfc2124.txt- 1 - 14 (decimal) as specified in [1700] ../data/rfc/rfc2124.txt- 15 E.164 with NSAP format subaddress ../data/rfc/rfc2124.txt- ../data/rfc/rfc2124.txt-Flow ID IE ../data/rfc/rfc2124.txt- ../data/rfc/rfc2124.txt: In order to accumulate the flow accounting statistics across multiple ../data/rfc/rfc2124.txt- FAS's in case of a FAS failure a globally unique flow identifier ../data/rfc/rfc2124.txt- needs to be formed. To accomplish this the FAS assigns a prefix if ../data/rfc/rfc2124.txt- requested by the CCE. The CCE then assigns a CCE flow identifier ../data/rfc/rfc2124.txt- that it guaranties to be unique for the use of the FAS flow ../data/rfc/rfc2124.txt- identifier prefix for each flow admitted. If the CCE needs to reuse -- ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt- functions are tightly related to how one signals changes in Quality ../data/rfc/rfc926.txt- of Service. ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt: G. Accounting ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt- What entities, administrations, etc., are responsible for network ../data/rfc/rfc926.txt: accounting? How does this happen? What accounting information, if ../data/rfc/rfc926.txt- any, is required from the subnetworks in order to charge for network ../data/rfc/rfc926.txt- resources? Who is charged? To what degree is this to be standardized? ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt- ../data/rfc/rfc926.txt- -- ../data/rfc/rfc2064.txt- - METER REAERS, which collect traffic flow data from meters, and ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- - MANAGERS, which oversee the operation of meters and meter readers. ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- This memo defines the SNMP management information for a Traffic Flow ../data/rfc/rfc2064.txt: Meter (TFM). It documents the earlier work of the Internet Accounting ../data/rfc/rfc2064.txt- Working Group, and is intended to provide a starting point for the ../data/rfc/rfc2064.txt- Realtime Traffic Flow Measurement Working Group. ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-3.1 Scope of Definitions, Textual Conventions ../data/rfc/rfc2064.txt- -- ../data/rfc/rfc2064.txt- SYNTAX Integer32 ../data/rfc/rfc2064.txt- MAX-ACCESS read-create ../data/rfc/rfc2064.txt- STATUS current ../data/rfc/rfc2064.txt- DESCRIPTION ../data/rfc/rfc2064.txt- "Index to the array of rule sets. Specifies which set of ../data/rfc/rfc2064.txt: rules is currently being used for accounting by this manager. ../data/rfc/rfc2064.txt- When the manager sets this variable the meter will close its ../data/rfc/rfc2064.txt- current rule set and start using the new one. Flows created ../data/rfc/rfc2064.txt- by the old rule set remain in memory, orphaned until their ../data/rfc/rfc2064.txt- data has been read. Specifying rule set 0 (the empty set) ../data/rfc/rfc2064.txt- stops flow measurement by this manager." -- ../data/rfc/rfc2064.txt- SYNTAX AddressType ../data/rfc/rfc2064.txt- MAX-ACCESS read-only ../data/rfc/rfc2064.txt- STATUS current ../data/rfc/rfc2064.txt- DESCRIPTION ../data/rfc/rfc2064.txt- "Adjacent address type of the source for this flow. If ../data/rfc/rfc2064.txt: accounting is being performed at the network level the ../data/rfc/rfc2064.txt- adjacent address will probably be an 802 MAC address, and ../data/rfc/rfc2064.txt- the adjacent address type will indicate the medium type." ../data/rfc/rfc2064.txt- ::= { flowDataEntry 5 } ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-flowDataSourceAdjacentAddress OBJECT-TYPE -- ../data/rfc/rfc2064.txt- STATUS current ../data/rfc/rfc2064.txt- DESCRIPTION ../data/rfc/rfc2064.txt- "Session ID for this flow. Such an ID might be allocated ../data/rfc/rfc2064.txt- by a network access server to distinguish a series of sessions ../data/rfc/rfc2064.txt- between the same pair of addresses, which would otherwise ../data/rfc/rfc2064.txt: appear to be parts of the same accounting flow." ../data/rfc/rfc2064.txt- ::= { flowDataEntry 35 } ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-flowDataSourceClass OBJECT-TYPE ../data/rfc/rfc2064.txt- SYNTAX INTEGER (1..255) ../data/rfc/rfc2064.txt- MAX-ACCESS read-only -- ../data/rfc/rfc2064.txt- flowActiveFlows, ../data/rfc/rfc2064.txt- flowMaxFlows } ../data/rfc/rfc2064.txt- STATUS current ../data/rfc/rfc2064.txt- DESCRIPTION ../data/rfc/rfc2064.txt- "The control group defines objects which are used to control ../data/rfc/rfc2064.txt: an accounting meter." ../data/rfc/rfc2064.txt- ::= {flowMIBGroups 1 } ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-flowDataTableGroup OBJECT-GROUP ../data/rfc/rfc2064.txt- OBJECTS { ../data/rfc/rfc2064.txt- flowDataIndex, -- ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-5 Acknowledgements ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- This document was initially produced under the auspices of the IETF's ../data/rfc/rfc2064.txt: Accounting Working Group with assistance from SNMP and SAAG working ../data/rfc/rfc2064.txt- groups. Particular thanks are due to Jim Barnes, Sig Handelman and ../data/rfc/rfc2064.txt- Stephen Stibler for their support and their assistance with checking ../data/rfc/rfc2064.txt- the MIB. ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-6 References -- ../data/rfc/rfc2064.txt-Brownlee Experimental [Page 37] ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt-RFC 2064 Meter MIB January 1997 ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt: [8] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2064.txt- Background," RFC 1272, Bolt Beranek and Newman Inc., Meridian ../data/rfc/rfc2064.txt- Technology Corporation, November 1991. ../data/rfc/rfc2064.txt- ../data/rfc/rfc2064.txt- [9] Brownlee, N., Mills, C., and G. Ruth, "Traffic Flow Measurement: ../data/rfc/rfc2064.txt- Architecture", RFC 2063, The University of Auckland, Bolt Beranek and -- ../data/rfc/rfc6973.txt- privacy protection goals as well. ../data/rfc/rfc6973.txt- ../data/rfc/rfc6973.txt- Some communications tasks require multiple protocol interactions with ../data/rfc/rfc6973.txt- different entities. For example, a request to an HTTP server may be ../data/rfc/rfc6973.txt- preceded by an interaction between the initiator and an ../data/rfc/rfc6973.txt: Authentication, Authorization, and Accounting (AAA) server for ../data/rfc/rfc6973.txt- network access and to a Domain Name System (DNS) server for name ../data/rfc/rfc6973.txt- resolution. In this case, the HTTP server is the recipient and the ../data/rfc/rfc6973.txt- other entities are enablers of the initiator-to-recipient ../data/rfc/rfc6973.txt- communication. Similarly, a single communication with the recipient ../data/rfc/rfc6973.txt- might generate further protocol interactions between either the -- ../data/rfc/rfc8501.txt- DDNS messages to the ISP's name server. ../data/rfc/rfc8501.txt- ../data/rfc/rfc8501.txt-2.3.6. Populate from RADIUS Server ../data/rfc/rfc8501.txt- ../data/rfc/rfc8501.txt- A user may receive an address or prefix from a RADIUS server ../data/rfc/rfc8501.txt: [RFC2865], the details of which may be recorded via RADIUS Accounting ../data/rfc/rfc8501.txt- data [RFC2866]. The ISP may populate the forward and reverse zones ../data/rfc/rfc8501.txt: from the accounting data if it contains enough information. This ../data/rfc/rfc8501.txt- solution allows the ISP to populate data concerning allocated ../data/rfc/rfc8501.txt- prefixes as per Section 2.2 (wildcards) and customer premise ../data/rfc/rfc8501.txt- equipment (CPE) endpoints. However, as with Section 2.3.5, it does ../data/rfc/rfc8501.txt- not allow the ISP to populate information concerning individual ../data/rfc/rfc8501.txt- hosts. -- ../data/rfc/rfc8501.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc8501.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc8501.txt- RFC 2865, DOI 10.17487/RFC2865, June 2000, ../data/rfc/rfc8501.txt- <https://www.rfc-editor.org/info/rfc2865>. ../data/rfc/rfc8501.txt- ../data/rfc/rfc8501.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc8501.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc8501.txt- <https://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc8501.txt- ../data/rfc/rfc8501.txt- [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic ../data/rfc/rfc8501.txt- Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, -- ../data/rfc/rfc4746.txt-4.3.9. Fast Reconnect ../data/rfc/rfc4746.txt- ../data/rfc/rfc4746.txt- Although a specific fast reconnection option is not included, ../data/rfc/rfc4746.txt- execution of PAX_STD requires very little computation time and is ../data/rfc/rfc4746.txt- therefore bound primarily by the latency of the Authentication, ../data/rfc/rfc4746.txt: Authorization, and Accounting (AAA) server. ../data/rfc/rfc4746.txt- ../data/rfc/rfc4746.txt-4.3.10. Session Independence ../data/rfc/rfc4746.txt- ../data/rfc/rfc4746.txt- This protocol easily achieves backward secrecy through, among other ../data/rfc/rfc4746.txt- things, use of the PAX-KDF. Given a current session key, attackers -- ../data/rfc/rfc5113.txt- determine the roaming path that best matches the user's ../data/rfc/rfc5113.txt- preferences. This can lead to the user being charged more than ../data/rfc/rfc5113.txt- necessary, or not obtaining the desired services. For example, ../data/rfc/rfc5113.txt- the visited access realm could have both a direct relationship ../data/rfc/rfc5113.txt- with the home realm and an indirect relationship through a roaming ../data/rfc/rfc5113.txt: consortium. Current Authentication, Authorization, and Accounting ../data/rfc/rfc5113.txt- (AAA) protocols may not be able to route the access request to the ../data/rfc/rfc5113.txt- home AAA sever purely based on the realm within the Network Access ../data/rfc/rfc5113.txt- Identifier (NAI) [RFC4282]. In addition, payload packets can be ../data/rfc/rfc5113.txt- routed or tunneled differently, based on the roaming relationship ../data/rfc/rfc5113.txt- path. This may have an impact on the available services or their -- ../data/rfc/rfc5113.txt-Arkko, et al. Informational [Page 4] ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt-RFC 5113 Network Discovery and SP January 2008 ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt: Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt- AAA protocols with EAP support include Remote Authentication ../data/rfc/rfc5113.txt- Dial-In User Service (RADIUS) [RFC3579] and Diameter [RFC4072]. ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt- Access Point (AP) -- ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt- Solutions to the AAA routing issues discussed in Section 2.3 need to ../data/rfc/rfc5113.txt- apply to a wide range of AAA messages, and should not restrict the ../data/rfc/rfc5113.txt- introduction of new AAA or access network functionality. For ../data/rfc/rfc5113.txt- example, AAA routing mechanisms should work for access requests and ../data/rfc/rfc5113.txt: responses as well as accounting requests and responses and server- ../data/rfc/rfc5113.txt- initiated messages. Solutions should not restrict the development of ../data/rfc/rfc5113.txt- new AAA attributes, access types, or performance optimizations (such ../data/rfc/rfc5113.txt- as fast handoff support). ../data/rfc/rfc5113.txt- ../data/rfc/rfc5113.txt-3.2. Backward Compatibility -- ../data/rfc/rfc167.txt-The current NCP Protocol says nothing about how hosts should assign ../data/rfc/rfc167.txt-socket numbers to process ports, except that the low-order bit is to ../data/rfc/rfc167.txt-specify socket gender (i.e., send or receive). Two recent proposals call ../data/rfc/rfc167.txt-for additional network-wide conventions on the 32-bit socket-number. The ../data/rfc/rfc167.txt-first proposal asks that a portion of the socket number be reserved for ../data/rfc/rfc167.txt:a network-unique user number for accounting and access control. The ../data/rfc/rfc167.txt-second proposal asks that the high-order 16 bits of the socket number be ../data/rfc/rfc167.txt-zero to assist smaller hosts in reducing the space required for socket ../data/rfc/rfc167.txt-number tables. ../data/rfc/rfc167.txt- ../data/rfc/rfc167.txt-It is recommended that both of these proposals be set aside. Because a ../data/rfc/rfc167.txt-large perturbation of the current NCP Protocol is required to provide ../data/rfc/rfc167.txt:adequate handles for accounting and access control, and because the ../data/rfc/rfc167.txt-socket number is already underpowered for its use, it is recommended ../data/rfc/rfc167.txt-that both proposals be set aside until serious consideration can be ../data/rfc/rfc167.txt-given to a major NCP Protocol overhaul. ../data/rfc/rfc167.txt- ../data/rfc/rfc167.txt-DISCUSSION -- ../data/rfc/rfc167.txt-The socket number, as it is used in the current NCP Protocol is a small ../data/rfc/rfc167.txt-number with a big function. It will probably be found that a ../data/rfc/rfc167.txt-substantially more powerful identification mechanism (e.g., a ../data/rfc/rfc167.txt-hierarchical naming scheme with arbitrarily long names) is required to ../data/rfc/rfc167.txt-satisfactorily manipulate process ports. Two features of such a ../data/rfc/rfc167.txt:mechanism will be (1) that it treats accounting and access control with ../data/rfc/rfc167.txt-the respect they deserve, and (2) that it is part of a simpler NCP ../data/rfc/rfc167.txt-Protocol more easily implemented under the existing size and complexity ../data/rfc/rfc167.txt-restrictions of smaller hosts. ../data/rfc/rfc167.txt- ../data/rfc/rfc167.txt-Socket numbers are process port identifiers used in establishing -- ../data/rfc/rfc1454.txt- topology. This obviously has signficance for addressing (whether ../data/rfc/rfc1454.txt- geographical or topological) and routing. There seems to be an ../data/rfc/rfc1454.txt- understanding of the problem, but so far no detailed specification of ../data/rfc/rfc1454.txt- a solution. ../data/rfc/rfc1454.txt- ../data/rfc/rfc1454.txt:4.3 Accounting ../data/rfc/rfc1454.txt- ../data/rfc/rfc1454.txt- The IESG selection criteria require only that proposals do not have ../data/rfc/rfc1454.txt- the effect of preventing the collection of information that may be of ../data/rfc/rfc1454.txt- interest for audit or billing purposes. Consequently, none of the ../data/rfc/rfc1454.txt: proposals consider potential accounting mechanisms. ../data/rfc/rfc1454.txt- ../data/rfc/rfc1454.txt-4.4 Security ../data/rfc/rfc1454.txt- ../data/rfc/rfc1454.txt- "Network Layer Security Issues are For Further Study". Or secret. ../data/rfc/rfc1454.txt- -- ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt-RFC 8520 Manufacturer Usage Descriptions March 2019 ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt- A MUD manager may be a component of an Authentication, Authorization, ../data/rfc/rfc8520.txt: and Accounting (AAA) system or a network management system. ../data/rfc/rfc8520.txt- Communication within those systems and from those systems to network ../data/rfc/rfc8520.txt- elements is beyond the scope of this memo. ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt-1.9. Order of Operations ../data/rfc/rfc8520.txt- -- ../data/rfc/rfc8520.txt- restart, similar to what it would do absent MUD manager ../data/rfc/rfc8520.txt- functionality. In the case where the DHCP server forwards ../data/rfc/rfc8520.txt- information to the MUD manager, the MUD manager will either make use ../data/rfc/rfc8520.txt- of redundant DHCP servers for information or clear state based on ../data/rfc/rfc8520.txt- other network information, such as monitoring port status on a switch ../data/rfc/rfc8520.txt: via SNMP, Radius accounting, or similar mechanisms. ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt-10.3. Relay Requirements ../data/rfc/rfc8520.txt- ../data/rfc/rfc8520.txt- There are no additional requirements for relays. ../data/rfc/rfc8520.txt- -- ../data/rfc/rfc2067.txt- kilobytes of user data consists of "n" full bursts and one short ../data/rfc/rfc2067.txt- burst equal in length to the number of bytes in the HIPPI, LLC, IP ../data/rfc/rfc2067.txt- and TCP headers. "Hold Time" is the minimum connection duration ../data/rfc/rfc2067.txt- needed to send the packets. "Burst Rate" is the effective transfer ../data/rfc/rfc2067.txt- rate for the duration of the connection, not counting connection ../data/rfc/rfc2067.txt: switching time. Throughput rates are in megabytes/second, accounting ../data/rfc/rfc2067.txt- for connection switching times of 10, 30, 60, 90, 120 and 150 ../data/rfc/rfc2067.txt- microseconds. These calculations ignore any limit on the rate at ../data/rfc/rfc2067.txt- which a Source or Destination can process small packets; such limits ../data/rfc/rfc2067.txt- may further reduce the available throughput if small packets are ../data/rfc/rfc2067.txt- used. -- ../data/rfc/rfc2753.txt- rules or policy criteria are first applied before access is ../data/rfc/rfc2753.txt- granted. Examples of resources include the buffers in a router and ../data/rfc/rfc2753.txt- bandwidth on an interface. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- - Service Provider: Controls the network infrastructure and may be ../data/rfc/rfc2753.txt: responsible for the charging and accounting of services. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- - Soft State Model - Soft state is a form of the stateful model that ../data/rfc/rfc2753.txt- times out installed state at a PEP or PDP. It is an automatic way ../data/rfc/rfc2753.txt- to erase state in the presence of communication or network element ../data/rfc/rfc2753.txt- failures. For example, RSVP uses the soft state model for -- ../data/rfc/rfc2753.txt- including bi-lateral and multi-lateral service agreements and ../data/rfc/rfc2753.txt- policies based on the notion of relative priority. In general, ../data/rfc/rfc2753.txt- the determination and configuration of viable policies are the ../data/rfc/rfc2753.txt- responsibility of the service provider. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt: - Provision for Monitoring and Accounting Information: The ../data/rfc/rfc2753.txt- mechanisms must include support for monitoring policy state, ../data/rfc/rfc2753.txt- resource usage, and provide access information. In particular, ../data/rfc/rfc2753.txt- mechanisms must be included to provide usage and access ../data/rfc/rfc2753.txt: information that may be used for accounting and billing purposes. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- -- ../data/rfc/rfc2753.txt- may reside at a policy server. The PEP represents the component that ../data/rfc/rfc2753.txt- always runs on the policy aware node. It is the point at which policy ../data/rfc/rfc2753.txt- decisions are actually enforced. Policy decisions are made primarily ../data/rfc/rfc2753.txt- at the PDP. The PDP itself may make use of additional mechanisms and ../data/rfc/rfc2753.txt- protocols to achieve additional functionality such as user ../data/rfc/rfc2753.txt: authentication, accounting, policy information storage, etc. For ../data/rfc/rfc2753.txt- example, the PDP is likely to use an LDAP-based directory service for ../data/rfc/rfc2753.txt- storage and retrieval of policy information[6]. This document does ../data/rfc/rfc2753.txt- not include discussion of these additional mechanisms and protocols ../data/rfc/rfc2753.txt- and how they are used. ../data/rfc/rfc2753.txt- -- ../data/rfc/rfc2753.txt-| | ../data/rfc/rfc2753.txt-|________________| ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- Figure 1: A simple configuration with the primary policy control ../data/rfc/rfc2753.txt- architecture components. PDP may use additional mechanisms and ../data/rfc/rfc2753.txt: protocols for the purpose of accounting, authentication, policy ../data/rfc/rfc2753.txt- storage, etc. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- The PDP might optionally contact other external servers, e.g., for ../data/rfc/rfc2753.txt: accessing configuration, user authentication, accounting and billing ../data/rfc/rfc2753.txt- databases. Protocols defined for network management (SNMP) or ../data/rfc/rfc2753.txt- directory access (LDAP) might be used for this communication. While ../data/rfc/rfc2753.txt- the specific type of access and the protocols used may vary among ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- -- ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- * PDP sends asynchronous notifications to PEP whenever necessary to ../data/rfc/rfc2753.txt- change earlier decisions, generate errors etc. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- * PDP exports the information useful for usage monitoring and ../data/rfc/rfc2753.txt: accounting purposes. An example of a useful mechanism for this ../data/rfc/rfc2753.txt- purpose is a MIB or a relational database. However, this document ../data/rfc/rfc2753.txt- does not specify any particular mechanism for this purpose and ../data/rfc/rfc2753.txt- discussion of such mechanisms is out of the scope of this ../data/rfc/rfc2753.txt- document. ../data/rfc/rfc2753.txt- -- ../data/rfc/rfc2753.txt-5.2. Bilateral agreements between service providers ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- Until recently, usage agreements between service providers for ../data/rfc/rfc2753.txt- traffic crossing their boundaries have been quite simple. For ../data/rfc/rfc2753.txt- example, two ISPs might agree to accept all traffic from each other, ../data/rfc/rfc2753.txt: often without performing any accounting or billing for the "foreign" ../data/rfc/rfc2753.txt- traffic carried. However, with the availability of QoS mechanisms ../data/rfc/rfc2753.txt- based on Integrated and Differentiated Services, traffic ../data/rfc/rfc2753.txt- differentiation and quality of service guarantees are being phased ../data/rfc/rfc2753.txt- into the Internet. As ISPs start to sell their customers different ../data/rfc/rfc2753.txt- grades of service and can differentiate among different sources of -- ../data/rfc/rfc2753.txt- traffic (and reservations) transiting their networks. One additional ../data/rfc/rfc2753.txt- incentive in establishing such mechanisms is the potential asymmetry ../data/rfc/rfc2753.txt- in terms of the customer base that different providers will exhibit: ../data/rfc/rfc2753.txt- ISPs focused on servicing corporate traffic are likely to experience ../data/rfc/rfc2753.txt- much higher demand for reserved services than those that service the ../data/rfc/rfc2753.txt: consumer market. Lack of sophisticated accounting schemes for inter- ../data/rfc/rfc2753.txt- ISP traffic could lead to inefficient allocation of costs among ../data/rfc/rfc2753.txt- different service providers. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- Bilateral agreements could fall into two broad categories; local or ../data/rfc/rfc2753.txt- global. Due to the complexity of the problem, it is expected that ../data/rfc/rfc2753.txt- initially only the former will be deployed. In these, providers which ../data/rfc/rfc2753.txt- manage a network cloud or administrative domain contract with their ../data/rfc/rfc2753.txt- closest point of contact (neighbor) to establish ground rules and ../data/rfc/rfc2753.txt: arrangements for access control and accounting. These contracts are ../data/rfc/rfc2753.txt- mostly local and do not rely on global agreements; consequently, a ../data/rfc/rfc2753.txt- policy node maintains information about its neighboring nodes only. ../data/rfc/rfc2753.txt- Referring to Figure 4, this model implies that provider AD-1 has ../data/rfc/rfc2753.txt- established arrangements with AD-2, but not with AD-3, for usage of ../data/rfc/rfc2753.txt- each other's network. Provider AD-2, in turn, has in place agreements -- ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- * Reliability: The sensitivity of policy control information ../data/rfc/rfc2753.txt- necessitates reliable operation. Undetected loss of policy queries ../data/rfc/rfc2753.txt- or responses may lead to inconsistent network control operation ../data/rfc/rfc2753.txt- and are clearly unacceptable for actions such as billing and ../data/rfc/rfc2753.txt: accounting. One option for providing reliability is the re-use of ../data/rfc/rfc2753.txt- the TCP as the transport protocol. ../data/rfc/rfc2753.txt- ../data/rfc/rfc2753.txt- * Small delays: The timing requirements of policy decisions related ../data/rfc/rfc2753.txt- to QoS signaling protocols are expected to be quite strict. The ../data/rfc/rfc2753.txt- PEP to PDP protocol should add small amount of delay to the -- ../data/rfc/rfc3272.txt- ../data/rfc/rfc3272.txt- (5) A set of administrative control parameters which may be ../data/rfc/rfc3272.txt- manipulated through a Configuration Management (CM) system. ../data/rfc/rfc3272.txt- The CM system itself may include a configuration control ../data/rfc/rfc3272.txt- subsystem, a configuration repository, a configuration ../data/rfc/rfc3272.txt: accounting subsystem, and a configuration auditing ../data/rfc/rfc3272.txt- subsystem. ../data/rfc/rfc3272.txt- ../data/rfc/rfc3272.txt- (6) A set of guidelines for network performance evaluation, ../data/rfc/rfc3272.txt- performance optimization, and performance improvement. ../data/rfc/rfc3272.txt- -- ../data/rfc/rfc3272.txt- ../data/rfc/rfc3272.txt-5.6 Open-Loop Versus Closed-Loop ../data/rfc/rfc3272.txt- ../data/rfc/rfc3272.txt- Open-loop traffic engineering control is where control action does ../data/rfc/rfc3272.txt- not use feedback information from the current network state. The ../data/rfc/rfc3272.txt: control action may use its own local information for accounting ../data/rfc/rfc3272.txt- purposes, however. ../data/rfc/rfc3272.txt- ../data/rfc/rfc3272.txt- Closed-loop traffic engineering control is where control action ../data/rfc/rfc3272.txt- utilizes feedback information from the network state. The feedback ../data/rfc/rfc3272.txt- information may be in the form of historical information or current -- ../data/rfc/rfc1675.txt- authentication. This may not be bad; in fact, it is probably good. ../data/rfc/rfc1675.txt- But it is vital that a more secure cryptographic authentication ../data/rfc/rfc1675.txt- protocol be defined and deployed before any substantial cutover to ../data/rfc/rfc1675.txt- source routing, if SIPP is adopted. ../data/rfc/rfc1675.txt- ../data/rfc/rfc1675.txt:Accounting ../data/rfc/rfc1675.txt- ../data/rfc/rfc1675.txt- An significant part of the world wishes to do usage-sensitive ../data/rfc/rfc1675.txt: accounting. This may be for billing, or it may simply be to ../data/rfc/rfc1675.txt- accomodate quality-of-service requests. Either way, definitive ../data/rfc/rfc1675.txt- knowledge of the relevant address fields is needed. To accomodate ../data/rfc/rfc1675.txt- this, IPng should have a non-intrusive packet authentication ../data/rfc/rfc1675.txt- mechanism. By "non-intrusive", I mean that it should (a) present ../data/rfc/rfc1675.txt- little or no load to intermediate hops that do not need to do -- ../data/rfc/rfc504.txt- different resources be standardized? How can resources which may ../data/rfc/rfc504.txt- move from Host to Host or may be available on several Hosts be ../data/rfc/rfc504.txt- dynamically located and selected for use? The need for ../data/rfc/rfc504.txt- (desirability of) a "broadcast ICP". ../data/rfc/rfc504.txt- ../data/rfc/rfc504.txt:4. Problems of accounting for resource utilization. ../data/rfc/rfc504.txt: Some form of network wide accounting would be a great convenience. ../data/rfc/rfc504.txt- For example, it would be nice if a user could use the same account ../data/rfc/rfc504.txt- at many (all?) sites. What are the problems (if any) preventing ../data/rfc/rfc504.txt- this? ../data/rfc/rfc504.txt- ../data/rfc/rfc504.txt- -- ../data/rfc/rfc504.txt- automated resource sharing experiments? ../data/rfc/rfc504.txt-- Under what conditions would your site be willing or able to ../data/rfc/rfc504.txt- participate in such experiments? ../data/rfc/rfc504.txt-- What administrative and/or technical considerations would prevent your ../data/rfc/rfc504.txt- site from entering into a network wide resource sharing agreement? ../data/rfc/rfc504.txt:- If you employ accounting Procedures that require cost recovery, how, ../data/rfc/rfc504.txt- if at all, should they be modified to work in a network resource ../data/rfc/rfc504.txt- sharing environment? ../data/rfc/rfc504.txt- ../data/rfc/rfc504.txt- ../data/rfc/rfc504.txt-Reading List: -- ../data/rfc/rfc431.txt-file. The user name and account number specified remain in ../data/rfc/rfc431.txt-effect until another LGI command is issued, a LGO command is ../data/rfc/rfc431.txt-issued, or the connection is close. ../data/rfc/rfc431.txt- ../data/rfc/rfc431.txt- At present, the use of SMFS is not billed, and therefore ../data/rfc/rfc431.txt:use of the accounting command is optional. It is requested, ../data/rfc/rfc431.txt-however, that users and user processes begin to use this command ../data/rfc/rfc431.txt-as soon as possible, since we would like to collect statistics on ../data/rfc/rfc431.txt-SMFS utilization before implementing billing. Therefore, at ../data/rfc/rfc431.txt-present the user name can be any name that identifies the user, ../data/rfc/rfc431.txt-and the account number is completely arbitrary. -- ../data/rfc/rfc431.txt-consist of characters chosen from the same character set as ../data/rfc/rfc431.txt-filenames. ../data/rfc/rfc431.txt- ../data/rfc/rfc431.txt- Logout (LGO) ../data/rfc/rfc431.txt- The logout command terminates the association between the ../data/rfc/rfc431.txt:user and the accounting information specified in the last LGI ../data/rfc/rfc431.txt-command issued, if any; it does not cause SMFS to close the ../data/rfc/rfc431.txt-connection. The user should then issue another LGI command ../data/rfc/rfc431.txt-before attempting any operation referencing a file. It is not ../data/rfc/rfc431.txt-necessary to issue a LGO command before issuing another LGI ../data/rfc/rfc431.txt-command, or before closing the connection. -- ../data/rfc/rfc7599.txt- using standard IPv6 means applicable in the network where the CE is ../data/rfc/rfc7599.txt- located. ../data/rfc/rfc7599.txt- ../data/rfc/rfc7599.txt- The MAP provisioning parameters, and hence the IPv4 service itself, ../data/rfc/rfc7599.txt- are tied to the End-user IPv6 prefix; thus, the MAP service is also ../data/rfc/rfc7599.txt: tied to this in terms of authorization, accounting, etc. ../data/rfc/rfc7599.txt- ../data/rfc/rfc7599.txt- A single MAP CE MAY be connected to more than one MAP domain, just as ../data/rfc/rfc7599.txt- any router may have more than one IPv4-enabled service-provider- ../data/rfc/rfc7599.txt- facing interface and more than one set of associated addresses ../data/rfc/rfc7599.txt- assigned by DHCPv6. Each domain within which a given CE operates -- ../data/rfc/rfc2139.txt-Request for Comments: 2139 Livingston ../data/rfc/rfc2139.txt-Obsoletes: 2059 April 1997 ../data/rfc/rfc2139.txt-Category: Informational ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: RADIUS Accounting ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Status of this Memo ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This memo provides information for the Internet community. This memo ../data/rfc/rfc2139.txt- does not specify an Internet standard of any kind. Distribution of ../data/rfc/rfc2139.txt- this memo is unlimited. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Abstract ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This document describes a protocol for carrying accounting ../data/rfc/rfc2139.txt: information between a Network Access Server and a shared Accounting ../data/rfc/rfc2139.txt- Server. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Implementation Note ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This memo documents the RADIUS Accounting protocol. There has been ../data/rfc/rfc2139.txt- some confusion in the assignment of port numbers for this protocol. ../data/rfc/rfc2139.txt: The early deployment of RADIUS Accounting was done using the ../data/rfc/rfc2139.txt- erroneously chosen port number 1646, which conflicts with the "sa- ../data/rfc/rfc2139.txt- msg-port" service. The officially assigned port number for RADIUS ../data/rfc/rfc2139.txt: Accounting is 1813. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Table of Contents ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 1. Introduction .......................................... 2 ../data/rfc/rfc2139.txt- 1.1 Specification of Requirements ................... 3 ../data/rfc/rfc2139.txt- 1.2 Terminology ..................................... 3 ../data/rfc/rfc2139.txt- 2. Operation ............................................. 4 ../data/rfc/rfc2139.txt- 3. Packet Format ......................................... 5 ../data/rfc/rfc2139.txt- 4. Packet Types .......................................... 7 ../data/rfc/rfc2139.txt: 4.1 Accounting-Request .............................. 7 ../data/rfc/rfc2139.txt: 4.2 Accounting-Response ............................. 8 ../data/rfc/rfc2139.txt- 5. Attributes ............................................ 10 ../data/rfc/rfc2139.txt- 5.1 Acct-Status-Type ................................ 11 ../data/rfc/rfc2139.txt- 5.2 Acct-Delay-Time ................................. 12 ../data/rfc/rfc2139.txt- 5.3 Acct-Input-Octets ............................... 13 ../data/rfc/rfc2139.txt- 5.4 Acct-Output-Octets .............................. 14 -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 1] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 5.9 Acct-Output-Packets ............................. 17 ../data/rfc/rfc2139.txt- 5.10 Acct-Terminate-Cause ............................ 18 ../data/rfc/rfc2139.txt- 5.11 Acct-Multi-Session-Id ........................... 20 -- ../data/rfc/rfc2139.txt-1. Introduction ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2139.txt- users can create the need for significant administrative support. ../data/rfc/rfc2139.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2139.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2139.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2139.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2139.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2139.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The RADIUS (Remote Authentication Dial In User Service) document [4] ../data/rfc/rfc2139.txt- specifies the RADIUS protocol used for Authentication and ../data/rfc/rfc2139.txt- Authorization. This memo extends the use of the RADIUS protocol to ../data/rfc/rfc2139.txt: cover delivery of accounting information from the Network Access ../data/rfc/rfc2139.txt: Server (NAS) to a RADIUS accounting server. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Key features of RADIUS Accounting are: ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Client/Server Model ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A Network Access Server (NAS) operates as a client of the ../data/rfc/rfc2139.txt: RADIUS accounting server. The client is responsible for ../data/rfc/rfc2139.txt: passing user accounting information to a designated RADIUS ../data/rfc/rfc2139.txt: accounting server. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The RADIUS accounting server is responsible for receiving the ../data/rfc/rfc2139.txt: accounting request and returning a response to the client ../data/rfc/rfc2139.txt- indicating that it has successfully received the request. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The RADIUS accounting server can act as a proxy client to other ../data/rfc/rfc2139.txt: kinds of accounting servers. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 2] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Network Security ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Transactions between the client and RADIUS accounting server ../data/rfc/rfc2139.txt- are authenticated through the use of a shared secret, which is ../data/rfc/rfc2139.txt- never sent over the network. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Extensible Protocol ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 3] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- session Each service provided by the NAS to a dial-in user ../data/rfc/rfc2139.txt- constitutes a session, with the beginning of the session ../data/rfc/rfc2139.txt- defined as the point where service is first provided and ../data/rfc/rfc2139.txt- the end of the session defined as the point where service ../data/rfc/rfc2139.txt- is ended. A user may have multiple sessions in parallel or ../data/rfc/rfc2139.txt- series if the NAS supports that, with each session ../data/rfc/rfc2139.txt: generating a separate start and stop accounting record with ../data/rfc/rfc2139.txt- its own Acct-Session-Id. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- silently discard ../data/rfc/rfc2139.txt- This means the implementation discards the packet without ../data/rfc/rfc2139.txt- further processing. The implementation SHOULD provide the -- ../data/rfc/rfc2139.txt- the silently discarded packet, and SHOULD record the event ../data/rfc/rfc2139.txt- in a statistics counter. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-2. Operation ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: When a client is configured to use RADIUS Accounting, at the start of ../data/rfc/rfc2139.txt: service delivery it will generate an Accounting Start packet ../data/rfc/rfc2139.txt- describing the type of service being delivered and the user it is ../data/rfc/rfc2139.txt: being delivered to, and will send that to the RADIUS Accounting ../data/rfc/rfc2139.txt- server, which will send back an acknowledgement that the packet has ../data/rfc/rfc2139.txt- been received. At the end of service delivery the client will ../data/rfc/rfc2139.txt: generate an Accounting Stop packet describing the type of service ../data/rfc/rfc2139.txt- that was delivered and optionally statistics such as elapsed time, ../data/rfc/rfc2139.txt- input and output octets, or input and output packets. It will send ../data/rfc/rfc2139.txt: that to the RADIUS Accounting server, which will send back an ../data/rfc/rfc2139.txt- acknowledgement that the packet has been received. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The Accounting-Request (whether for Start or Stop) is submitted to ../data/rfc/rfc2139.txt: the RADIUS accounting server via the network. It is recommended that ../data/rfc/rfc2139.txt: the client continue attempting to send the Accounting-Request packet ../data/rfc/rfc2139.txt- until it receives an acknowledgement, using some form of backoff. If ../data/rfc/rfc2139.txt- no response is returned within a length of time, the request is re- ../data/rfc/rfc2139.txt- sent a number of times. The client can also forward requests to an ../data/rfc/rfc2139.txt- alternate server or servers in the event that the primary server is ../data/rfc/rfc2139.txt- down or unreachable. An alternate server can be used either after a ../data/rfc/rfc2139.txt- number of tries to the primary server fail, or in a round-robin ../data/rfc/rfc2139.txt- fashion. Retry and fallback algorithms are the topic of current ../data/rfc/rfc2139.txt- research and are not specified in detail in this document. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The RADIUS accounting server MAY make requests of other servers in ../data/rfc/rfc2139.txt- order to satisfy the request, in which case it acts as a client. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: If the RADIUS accounting server is unable to successfully record the ../data/rfc/rfc2139.txt: accounting packet it MUST NOT send an Accounting-Response ../data/rfc/rfc2139.txt- acknowledgment to the client. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 4] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-3. Packet Format ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Exactly one RADIUS Accounting packet is encapsulated in the UDP Data ../data/rfc/rfc2139.txt- field [1], where the UDP Destination Port field indicates 1813 ../data/rfc/rfc2139.txt- (decimal). ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- When a reply is generated, the source and destination ports are ../data/rfc/rfc2139.txt- reversed. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This memo documents the RADIUS Accounting protocol. There has been ../data/rfc/rfc2139.txt- some confusion in the assignment of port numbers for this protocol. ../data/rfc/rfc2139.txt: The early deployment of RADIUS Accounting was done using the ../data/rfc/rfc2139.txt- erroneously chosen port number 1646, which conflicts with the "sa- ../data/rfc/rfc2139.txt- msg-port" service. The officially assigned port number for RADIUS ../data/rfc/rfc2139.txt: Accounting is 1813. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the RADIUS data format is shown below. The fields are ../data/rfc/rfc2139.txt- transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Code field is one octet, and identifies the type of RADIUS ../data/rfc/rfc2139.txt- packet. When a packet is received with an invalid Code field, it is ../data/rfc/rfc2139.txt- silently discarded. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: RADIUS Accounting Codes (decimal) are assigned as follows: ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: 4 Accounting-Request ../data/rfc/rfc2139.txt: 5 Accounting-Response ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Identifier ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Identifier field is one octet, and aids in matching requests and ../data/rfc/rfc2139.txt- replies. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 5] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Length ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Length field is two octets. It indicates the length of the -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Authenticator ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Authenticator field is sixteen (16) octets. The most significant ../data/rfc/rfc2139.txt- octet is transmitted first. This value is used to authenticate the ../data/rfc/rfc2139.txt: messages between the client and RADIUS accounting server. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Request Authenticator ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: In Accounting-Request Packets, the Authenticator value is a 16 octet ../data/rfc/rfc2139.txt- MD5 [3] checksum, called the Request Authenticator. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The NAS and RADIUS accounting server share a secret. The Request ../data/rfc/rfc2139.txt: Authenticator field in Accounting-Request packets contains a one- way ../data/rfc/rfc2139.txt- MD5 hash calculated over a stream of octets consisting of the Code + ../data/rfc/rfc2139.txt- Identifier + Length + 16 zero octets + request attributes + shared ../data/rfc/rfc2139.txt- secret (where + indicates concatenation). The 16 octet MD5 hash ../data/rfc/rfc2139.txt: value is stored in the Authenticator field of the Accounting-Request ../data/rfc/rfc2139.txt- packet. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Note that the Request Authenticator of an Accounting-Request can ../data/rfc/rfc2139.txt- not be done the same way as the Request Authenticator of a RADIUS ../data/rfc/rfc2139.txt- Access-Request, because there is no User-Password attribute in an ../data/rfc/rfc2139.txt: Accounting-Request. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Response Authenticator ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The Authenticator field in an Accounting-Response packet is called ../data/rfc/rfc2139.txt- the Response Authenticator, and contains a one-way MD5 hash ../data/rfc/rfc2139.txt: calculated over a stream of octets consisting of the Accounting- ../data/rfc/rfc2139.txt- Response Code, Identifier, Length, the Request Authenticator field ../data/rfc/rfc2139.txt: from the Accounting-Request packet being replied to, and the response ../data/rfc/rfc2139.txt- attributes if any, followed by the shared secret. The resulting 16 ../data/rfc/rfc2139.txt- octet MD5 hash value is stored in the Authenticator field of the ../data/rfc/rfc2139.txt: Accounting-Response packet. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 6] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Attributes ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Attributes may have multiple instances, in such a case the order of -- ../data/rfc/rfc2139.txt-4. Packet Types ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The RADIUS packet type is determined by the Code field in the first ../data/rfc/rfc2139.txt- octet of the packet. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:4.1. Accounting-Request ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Accounting-Request packets are sent from a client (typically a ../data/rfc/rfc2139.txt: Network Access Server or its proxy) to a RADIUS accounting server, ../data/rfc/rfc2139.txt: and convey information used to provide accounting for a service ../data/rfc/rfc2139.txt- provided to a user. The client transmits a RADIUS packet with the ../data/rfc/rfc2139.txt: Code field set to 4 (Accounting-Request). ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Upon receipt of an Accounting-Request, the server MUST transmit an ../data/rfc/rfc2139.txt: Accounting-Response reply if it successfully records the ../data/rfc/rfc2139.txt: accounting packet, and MUST NOT transmit any reply if it fails to ../data/rfc/rfc2139.txt: record the accounting packet. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Any attribute valid in a RADIUS Access-Request or Access-Accept ../data/rfc/rfc2139.txt: packet is valid in a RADIUS Accounting-Request packet, except that ../data/rfc/rfc2139.txt: the following attributes MUST NOT be present in an Accounting- ../data/rfc/rfc2139.txt- Request: User-Password, CHAP-Password, Reply-Message, State. ../data/rfc/rfc2139.txt- Either NAS-IP-Address or NAS-Identifier MUST be present in a ../data/rfc/rfc2139.txt: RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- ../data/rfc/rfc2139.txt- Port-Type attribute or both unless the service does not involve a ../data/rfc/rfc2139.txt- port or the NAS does not distinguish among its ports. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: A summary of the Accounting-Request packet format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 7] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 ../data/rfc/rfc2139.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2139.txt- | Attributes ... ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Code ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: 4 for Accounting-Request. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Identifier ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Identifier field MUST be changed whenever the content of the ../data/rfc/rfc2139.txt- Attributes field changes, and whenever a valid reply has been ../data/rfc/rfc2139.txt- received for a previous request. For retransmissions where the ../data/rfc/rfc2139.txt- contents are identical, the Identifier MUST remain unchanged. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Note that if Acct-Delay-Time is included in the attributes of an ../data/rfc/rfc2139.txt: Accounting-Request then the Acct-Delay-Time value will be updated ../data/rfc/rfc2139.txt- when the packet is retransmitted, changing the content of the ../data/rfc/rfc2139.txt- Attributes field and requiring a new Identifier and Request ../data/rfc/rfc2139.txt- Authenticator. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Request Authenticator ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The Request Authenticator of an Accounting-Request contains a 16- ../data/rfc/rfc2139.txt- octet MD5 hash value calculated according to the method described ../data/rfc/rfc2139.txt- in "Request Authenticator" above. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Attributes ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Attributes field is variable in length, and contains a list of ../data/rfc/rfc2139.txt- Attributes. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:4.2. Accounting-Response ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Accounting-Response packets are sent by the RADIUS accounting ../data/rfc/rfc2139.txt: server to the client to acknowledge that the Accounting-Request ../data/rfc/rfc2139.txt: has been received and recorded successfully. If the Accounting- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 8] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: Request was recorded successfully then the RADIUS accounting ../data/rfc/rfc2139.txt- server MUST transmit a packet with the Code field set to 5 ../data/rfc/rfc2139.txt: (Accounting-Response). On reception of an Accounting-Response by ../data/rfc/rfc2139.txt- the client, the Identifier field is matched with a pending ../data/rfc/rfc2139.txt: Accounting-Request. Invalid packets are silently discarded. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: A RADIUS Accounting-Response is not required to have any ../data/rfc/rfc2139.txt- attributes in it. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: A summary of the Accounting-Response packet format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 ../data/rfc/rfc2139.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2139.txt- | Attributes ... ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Code ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: 5 for Accounting-Response. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Identifier ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Identifier field is a copy of the Identifier field of the ../data/rfc/rfc2139.txt: Accounting-Request which caused this Accounting-Response. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Response Authenticator ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: The Response Authenticator of an Accounting-Response contains a ../data/rfc/rfc2139.txt- 16-octet MD5 hash value calculated according to the method ../data/rfc/rfc2139.txt- described in "Response Authenticator" above. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Attributes ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 9] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5. Attributes ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- RADIUS Attributes carry the specific authentication, authorization ../data/rfc/rfc2139.txt: and accounting details for the request and response. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Some attributes MAY be included more than once. The effect of this ../data/rfc/rfc2139.txt- is attribute specific, and is specified in each attribute ../data/rfc/rfc2139.txt- description. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 10] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Length ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Length field is one octet, and indicates the length of this ../data/rfc/rfc2139.txt- attribute including the Type, Length and Value fields. If an ../data/rfc/rfc2139.txt: attribute is received in an Accounting-Request with an invalid ../data/rfc/rfc2139.txt- Length, the entire request should be silently discarded. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Value ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Value field is zero or more octets and contains information -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.1. Acct-Status-Type ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This attribute indicates whether this Accounting-Request marks the ../data/rfc/rfc2139.txt- beginning of the user service (Start) or the end (Stop). ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: It MAY be used by the client to mark the start of accounting (for ../data/rfc/rfc2139.txt: example, upon booting) by specifying Accounting-On and to mark the ../data/rfc/rfc2139.txt: end of accounting (for example, just before a scheduled reboot) by ../data/rfc/rfc2139.txt: specifying Accounting-Off. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Status-Type attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 11] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Type ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 40 for Acct-Status-Type. -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Value field is four octets. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 1 Start ../data/rfc/rfc2139.txt- 2 Stop ../data/rfc/rfc2139.txt: 7 Accounting-On ../data/rfc/rfc2139.txt: 8 Accounting-Off ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.2. Acct-Delay-Time ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many seconds the client has been ../data/rfc/rfc2139.txt- trying to send this record for, and can be subtracted from the ../data/rfc/rfc2139.txt- time of arrival on the server to find the approximate time of the ../data/rfc/rfc2139.txt: event generating this Accounting-Request. (Network transit time ../data/rfc/rfc2139.txt- is ignored.) ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Note that changing the Acct-Delay-Time causes the Identifier to ../data/rfc/rfc2139.txt- change; see the discussion under Identifier above. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 12] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Value ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Value field is four octets. -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many octets have been received from ../data/rfc/rfc2139.txt- the port over the course of this service being provided, and can ../data/rfc/rfc2139.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2139.txt- Status-Type is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Input-Octets attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many octets have been sent to the ../data/rfc/rfc2139.txt- port in the course of delivering this service, and can only be ../data/rfc/rfc2139.txt: present in Accounting-Request records where the Acct-Status-Type ../data/rfc/rfc2139.txt- is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Output-Octets attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 13] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 ../data/rfc/rfc2139.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.5. Acct-Session-Id ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This attribute is a unique Accounting ID to make it easy to match ../data/rfc/rfc2139.txt- start and stop records in a log file. The start and stop records ../data/rfc/rfc2139.txt- for a given session MUST have the same Acct-Session-Id. It is ../data/rfc/rfc2139.txt- strongly recommended that the Acct-Session-Id be a printable ASCII ../data/rfc/rfc2139.txt- string. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 14] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 ../data/rfc/rfc2139.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 ../data/rfc/rfc2139.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.6. Acct-Authentic ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This attribute MAY be included in an Accounting-Request to ../data/rfc/rfc2139.txt- indicate how the user was authenticated, whether by RADIUS, the ../data/rfc/rfc2139.txt- NAS itself, or another remote authentication protocol. Users who ../data/rfc/rfc2139.txt- are delivered service without being authenticated SHOULD NOT ../data/rfc/rfc2139.txt: generate Accounting records. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Authentic attribute format is shown below. The ../data/rfc/rfc2139.txt- fields are transmitted from left to right. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0 1 2 3 -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 15] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Value ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Value field is four octets. -- ../data/rfc/rfc2139.txt-5.7. Acct-Session-Time ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many seconds the user has received ../data/rfc/rfc2139.txt: service for, and can only be present in Accounting-Request records ../data/rfc/rfc2139.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Session-Time attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many packets have been received from ../data/rfc/rfc2139.txt- the port over the course of this service being provided to a ../data/rfc/rfc2139.txt: Framed User, and can only be present in Accounting-Request records ../data/rfc/rfc2139.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 16] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Input-packets attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how many packets have been sent to the ../data/rfc/rfc2139.txt- port in the course of delivering this service to a Framed User, ../data/rfc/rfc2139.txt: and can only be present in Accounting-Request records where the ../data/rfc/rfc2139.txt- Acct-Status-Type is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Output-Packets attribute format is shown below. ../data/rfc/rfc2139.txt- The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 17] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Length ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 6 -- ../data/rfc/rfc2139.txt-5.10. Acct-Terminate-Cause ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute indicates how the session was terminated, and can ../data/rfc/rfc2139.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2139.txt- Status-Type is set to Stop. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Terminate-Cause attribute format is shown ../data/rfc/rfc2139.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 18] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Value ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The Value field is four octets, containing an integer specifying -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 19] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- NAS Error NAS detected some error (other than on the ../data/rfc/rfc2139.txt- port) which required ending the session. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.11. Acct-Multi-Session-Id ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: This attribute is a unique Accounting ID to make it easy to link ../data/rfc/rfc2139.txt- together multiple related sessions in a log file. Each session ../data/rfc/rfc2139.txt- linked together would have a unique Acct-Session-Id but the same ../data/rfc/rfc2139.txt- Acct-Multi-Session-Id. It is strongly recommended that the Acct- ../data/rfc/rfc2139.txt- Multi-Session-Id be a printable ASCII string. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 20] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Type ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 50 for Acct-Multi-Session-Id. -- ../data/rfc/rfc2139.txt-5.12. Acct-Link-Count ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Description ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- This attribute gives the count of links which are known to have ../data/rfc/rfc2139.txt: been in a given multilink session at the time the accounting ../data/rfc/rfc2139.txt- record is generated. The NAS MAY include the Acct-Link-Count ../data/rfc/rfc2139.txt: attribute in any Accounting-Request which might have multiple ../data/rfc/rfc2139.txt- links. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- A summary of the Acct-Link-Count attribute format is show below. The ../data/rfc/rfc2139.txt- fields are transmitted from left to right. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 21] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: It may be used to make it easier for an accounting server to know ../data/rfc/rfc2139.txt- when it has all the records for a given Multilink session. When ../data/rfc/rfc2139.txt: the number of Accounting-Requests received with Acct-Status-Type = ../data/rfc/rfc2139.txt- Stop and the same Acct-Multi-Session-Id and unique Acct-Session- ../data/rfc/rfc2139.txt- Id's equals the largest value of Acct-Link-Count seen in those ../data/rfc/rfc2139.txt: Accounting-Requests, all Stop Accounting-Requests for that ../data/rfc/rfc2139.txt- Multilink Session have been received. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: An example showing 8 Accounting-Requests should make things ../data/rfc/rfc2139.txt- clearer. For clarity only the relevant attributes are shown, but ../data/rfc/rfc2139.txt: additional attributes containing accounting information will also ../data/rfc/rfc2139.txt: be present in the Accounting-Request. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Multi-Session-Id Session-Id Status-Type Link-Count ../data/rfc/rfc2139.txt- "10" "10" Start 1 ../data/rfc/rfc2139.txt- "10" "11" Start 2 ../data/rfc/rfc2139.txt- "10" "11" Stop 2 -- ../data/rfc/rfc2139.txt- "10" "10" Stop 4 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-5.13. Table of Attributes ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc2139.txt: in Accounting-Request packets. No attributes should be found in ../data/rfc/rfc2139.txt: Accounting-Response packets except Proxy-State and possibly Vendor- ../data/rfc/rfc2139.txt- Specific. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- # Attribute ../data/rfc/rfc2139.txt- 0-1 User-Name ../data/rfc/rfc2139.txt- 0 User-Password -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 22] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- 0-1 Callback-Number ../data/rfc/rfc2139.txt- 0-1 Callback-Id ../data/rfc/rfc2139.txt- 0+ Framed-Route -- ../data/rfc/rfc2139.txt- 0-1 NAS-Port-Type ../data/rfc/rfc2139.txt- 0-1 Port-Limit ../data/rfc/rfc2139.txt- 0-1 Login-LAT-Port ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: [5] An Accounting-Request MUST contain either a NAS-IP-Address or a ../data/rfc/rfc2139.txt- NAS-Identifier, and it is permitted (but not recommended) for it to ../data/rfc/rfc2139.txt- contain both. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The following table defines the above table entries. ../data/rfc/rfc2139.txt- -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 23] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Security Considerations ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Security issues are briefly discussed in sections concerning the ../data/rfc/rfc2139.txt: authenticator included in accounting requests and responses, using a ../data/rfc/rfc2139.txt- shared secret which is never sent over the network. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-References ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- [1] Postel, J., "User Datagram Protocol", STD 6, RFC 768, -- ../data/rfc/rfc2139.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, ../data/rfc/rfc2139.txt- April 1997. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Acknowledgments ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt: RADIUS and RADIUS Accounting were originally developed by Livingston ../data/rfc/rfc2139.txt- Enterprises for their PortMaster series of Network Access Servers. ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Chair's Address ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- The RADIUS working group can be contacted via the current chair: -- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Rigney Informational [Page 24] ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt:RFC 2139 RADIUS Accounting April 1997 ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt-Author's Address ../data/rfc/rfc2139.txt- ../data/rfc/rfc2139.txt- Questions about this memo can also be directed to: -- ../data/rfc/rfc4220.txt- DISPLAY-HINT "d" ../data/rfc/rfc4220.txt- STATUS current ../data/rfc/rfc4220.txt- DESCRIPTION ../data/rfc/rfc4220.txt- "This type is used to represent a priority. Each connection ../data/rfc/rfc4220.txt- is assigned a priority. This priority is used when ../data/rfc/rfc4220.txt: accounting for bandwidth on TE links or component ../data/rfc/rfc4220.txt- links, for resource allocation and for rerouting purposes. ../data/rfc/rfc4220.txt- Value 0 is the highest priority. Value 7 is the lowest ../data/rfc/rfc4220.txt- priority." ../data/rfc/rfc4220.txt- ../data/rfc/rfc4220.txt- -- ../data/rfc/rfc7182.txt- ../data/rfc/rfc7182.txt- o Two kinds of TLV: one for carrying Integrity Check Values (ICVs) ../data/rfc/rfc7182.txt- and one for timestamps in packets, messages, and Address Blocks as ../data/rfc/rfc7182.txt- defined by [RFC5444]. ../data/rfc/rfc7182.txt- ../data/rfc/rfc7182.txt: o A generic framework for use of these TLVs, accounting for specific ../data/rfc/rfc7182.txt- features of Packet, Message, and Address Block TLVs. ../data/rfc/rfc7182.txt- ../data/rfc/rfc7182.txt- o IANA registrations for TLVs, and registries for TLV type ../data/rfc/rfc7182.txt- extensions, replacing those from [RFC6622]. ../data/rfc/rfc7182.txt- -- ../data/rfc/rfc6521.txt- ../data/rfc/rfc6521.txt- ../data/rfc/rfc6521.txt- Several possibilities exist for achieving route optimization between ../data/rfc/rfc6521.txt- MRs attached to separate HAs, such as a new discovery/probing ../data/rfc/rfc6521.txt- protocol or routing protocol between HAs or DNS SRV records, or a ../data/rfc/rfc6521.txt: common Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6521.txt- architecture. There is already a framework for HA to retrieve ../data/rfc/rfc6521.txt- information from AAA, so it can be considered the most viable ../data/rfc/rfc6521.txt- possibility. See Section 6.6 for information on a possible way to ../data/rfc/rfc6521.txt- generalize the method. ../data/rfc/rfc6521.txt- -- ../data/rfc/rfc3603.txt- information, and station information (e.g., coin operated phone). In ../data/rfc/rfc3603.txt- addition, while translating the destination number, information such ../data/rfc/rfc3603.txt- as the local-number-portability office code is obtained and will be ../data/rfc/rfc3603.txt- needed by all other proxies handling this call. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt: For Usage Accounting records, it is necessary to have an identifier ../data/rfc/rfc3603.txt- that can be associated with all the event records produced for the ../data/rfc/rfc3603.txt- call. The SIP Call-ID header field cannot be used as such an ../data/rfc/rfc3603.txt- identifier since it is selected by the originating user agent, and ../data/rfc/rfc3603.txt- may not be unique among all past calls as well as current calls. ../data/rfc/rfc3603.txt- Further, since this identifier is to be used by the service provider, -- ../data/rfc/rfc3603.txt- announcement servers, etc. Outside of the trust boundary lie the ../data/rfc/rfc3603.txt- customer premises equipment, and various application and media ../data/rfc/rfc3603.txt- servers operated by third-party service providers. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- Certain subscriber-specific information, such as billing and ../data/rfc/rfc3603.txt: accounting information, stays within the trust boundary. Other ../data/rfc/rfc3603.txt- subscriber-specific information, such as endpoint identity, may be ../data/rfc/rfc3603.txt- presented to untrusted endpoints or may be withheld based on ../data/rfc/rfc3603.txt- subscriber profiles. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- The User Agent (UA) may be either within the trust boundary or -- ../data/rfc/rfc3603.txt- information based on the authenticated identity of the calling and ../data/rfc/rfc3603.txt- called parties. Since there is a trust relationship among proxies, ../data/rfc/rfc3603.txt- they can be relied upon to exchange trusted billing information ../data/rfc/rfc3603.txt- pertaining to the parties involved in a call. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt: For Usage Accounting records, it is necessary to have an identifier ../data/rfc/rfc3603.txt- that can be associated with all the event records produced for the ../data/rfc/rfc3603.txt- call. The SIP Call-ID header field cannot be used as such an ../data/rfc/rfc3603.txt- identifier since it is selected by the originating user agent, and ../data/rfc/rfc3603.txt- may not be unique among all past calls as well as current calls. ../data/rfc/rfc3603.txt- Further, since this identifier is to be used by the service provider, -- ../data/rfc/rfc3603.txt- the future, to limit the ability of the originator to re-use this ../data/rfc/rfc3603.txt- private-URL for multiple calls. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- A UAC that includes a Refer-to header in a REFER request MUST include ../data/rfc/rfc3603.txt- a P-DCS-Billing-Info header in the Refer-to's URL. This P-DCS- ../data/rfc/rfc3603.txt: Billing-Info header MUST include the accounting information of the ../data/rfc/rfc3603.txt- initiator of the REFER. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt-7.4. Procedures at an Untrusted User Agent Server (UAS) ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- This header is never sent to an untrusted UAS, and is never sent by -- ../data/rfc/rfc3603.txt- provisioned in the UAS. If the UAS performed a LNP query, it MUST ../data/rfc/rfc3603.txt- include the Routing Number and Location Routing Number returned by ../data/rfc/rfc3603.txt- the query. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- The UAS MUST add a P-DCS-Billing-Info header to a 3xx-redirect ../data/rfc/rfc3603.txt: response to an initial INVITE, giving the accounting information for ../data/rfc/rfc3603.txt- the call forwarder, for the call segment from the destination to the ../data/rfc/rfc3603.txt- forwarded-to destination. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- -- ../data/rfc/rfc3603.txt- Info header present from an untrusted UA MUST be removed. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- If the Request-URI contains a private-URL, and the decoded username ../data/rfc/rfc3603.txt- contains billing information, the originating proxy MUST generate a ../data/rfc/rfc3603.txt- P-DCS-Billing-Info header with that decrypted information. Otherwise, ../data/rfc/rfc3603.txt: the originating proxy MUST determine the accounting information for ../data/rfc/rfc3603.txt- the call originator, and insert a P-DCS-Billing-Info header including ../data/rfc/rfc3603.txt- that information. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- -- ../data/rfc/rfc3603.txt- the future, to limit the ability of the originator to re-use this ../data/rfc/rfc3603.txt- private-URL for multiple calls. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- An originating proxy that processes a REFER request from an untrusted ../data/rfc/rfc3603.txt- UA MUST include a P-DCS-Billing-Info header in the Refer-to's URL. ../data/rfc/rfc3603.txt: This P-DCS-Billing-Info header MUST include the accounting ../data/rfc/rfc3603.txt- information of the initiator. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt-7.6.2. Procedures at Terminating Proxy ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- The terminating proxy MUST NOT send the P-DCS-Billing-Info header to -- ../data/rfc/rfc3603.txt- provider policy provisioned in the terminating proxy. If the ../data/rfc/rfc3603.txt- terminating proxy performed a LNP query, it MUST include the Routing ../data/rfc/rfc3603.txt- Number and Location Routing Number returned by the query. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- The terminating proxy MUST add P-DCS-Billing-Info headers to a 3xx- ../data/rfc/rfc3603.txt: redirect response to an initial INVITE, giving the accounting ../data/rfc/rfc3603.txt- information for the call forwarder, for the call segment from the ../data/rfc/rfc3603.txt- destination to the forwarded-to destination. ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- ../data/rfc/rfc3603.txt- -- ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt- for IPng ../data/rfc/rfc2626.txt-1676:: I:: INFN Requirements for an IPng ../data/rfc/rfc2626.txt-1674:: I:: A Cellular Industry View of IPng ../data/rfc/rfc2626.txt-1673:: I:: Electric Power Research Institute Comments on IPng ../data/rfc/rfc2626.txt:1672:: I:: Accounting Requirements for IPng ../data/rfc/rfc2626.txt-1671:: I:: IPng White Paper on Transition and Other Considerations ../data/rfc/rfc2626.txt-1670:: I:: Input to IPng Engineering Considerations ../data/rfc/rfc2626.txt-1669:: I:: Market Viability as a IPng Criteria ../data/rfc/rfc2626.txt-1667:: I:: Modeling and Simulation Requirements for IPng ../data/rfc/rfc2626.txt-1663:: PS:: PPP Reliable Transmission -- ../data/rfc/rfc2626.txt-1354:: PS:: IP Forwarding Table MIB ../data/rfc/rfc2626.txt-1353:: H:: Definitions of Managed Objects for Administration of ../data/rfc/rfc2626.txt- SNMP Parties ../data/rfc/rfc2626.txt-1352:: H:: SNMP Security Protocols ../data/rfc/rfc2626.txt-1351:: H:: SNMP Administrative Model ../data/rfc/rfc2626.txt:1346:: I:: Resource Allocation, Control, and Accounting for the ../data/rfc/rfc2626.txt- Use of Network Resources ../data/rfc/rfc2626.txt-1318:: PS:: Definitions of Managed Objects for Parallel-printer-like ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt- -- ../data/rfc/rfc2626.txt-1284:: PS:: Definitions of Managed Objects for the Ethernet-like ../data/rfc/rfc2626.txt- Interface Types ../data/rfc/rfc2626.txt-1283:: E:: SNMP over OSI ../data/rfc/rfc2626.txt-1273:: I:: A Measurement Study of Changes in Service-Level ../data/rfc/rfc2626.txt- Reachability in the Global TCP/IP Internet ../data/rfc/rfc2626.txt:1272:: I:: Internet Accounting ../data/rfc/rfc2626.txt-1271:: PS:: Remote Network Monitoring Management Information Base ../data/rfc/rfc2626.txt-1270:: I:: SNMP Communications Services ../data/rfc/rfc2626.txt-1269:: PS:: Definitions of Managed Objects for the Border Gateway ../data/rfc/rfc2626.txt- Protocol (Version 3) ../data/rfc/rfc2626.txt-1262:: :: Guidelines for Internet Measurement Activities -- ../data/rfc/rfc2626.txt-2082:: PS:: RIP-2 MD5 Authentication ../data/rfc/rfc2626.txt-2078:: PS:: Generic Security Service Application Program Interface, ../data/rfc/rfc2626.txt- Version 2 ../data/rfc/rfc2626.txt-2069:: PS:: An Extension to HTTP ../data/rfc/rfc2626.txt-2065:: PS:: Domain Name System Security Extensions ../data/rfc/rfc2626.txt:2059:: I:: RADIUS Accounting ../data/rfc/rfc2626.txt-2058:: PS:: Remote Authentication Dial In User Service (RADIUS) ../data/rfc/rfc2626.txt-2057:: I:: Source directed access control on the Internet. ../data/rfc/rfc2626.txt-2040:: I:: The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms ../data/rfc/rfc2626.txt-2025:: PS:: The Simple Public-Key GSS-API Mechanism (SPKM) ../data/rfc/rfc2626.txt-2015:: :: MIME Security with Pretty Good Privacy (PGP) -- ../data/rfc/rfc2626.txt-Nesser Informational [Page 76] ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt-RFC 2626 The Internet and the Millennium Problem (Year 2000) June 1999 ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt- ../data/rfc/rfc2626.txt: 136:: :: Host accounting and administrative procedures ../data/rfc/rfc2626.txt- 135:: :: Response to NWG/RFC 110 ../data/rfc/rfc2626.txt- 132:: :: Typographical error in RFC 107 ../data/rfc/rfc2626.txt- 131:: :: Response to RFC 116 ../data/rfc/rfc2626.txt- 130:: :: Response to RFC 111 ../data/rfc/rfc2626.txt- 129:: :: Request for comments on socket name structure -- ../data/rfc/rfc2906.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt-Abstract ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This document specifies the requirements that Authentication ../data/rfc/rfc2906.txt: Authorization Accounting (AAA) protocols must meet in order to ../data/rfc/rfc2906.txt- support authorization services in the Internet. The requirements have ../data/rfc/rfc2906.txt- been elicited from a study of a range of applications including ../data/rfc/rfc2906.txt- mobile-IP, roamops and others. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- -- ../data/rfc/rfc2906.txt- different (security) domains. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This states that it must be possible for any AAA protocol message to ../data/rfc/rfc2906.txt- cross security or administrative domain boundaries. Typically, higher ../data/rfc/rfc2906.txt- levels of security will be applied when crossing such boundaries, and ../data/rfc/rfc2906.txt: accounting mechanisms may also have to be more stringent. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt-2.4.4 AAA protocols MUST support roaming. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- Roaming here may also be thought of as "away-from-home" operation. ../data/rfc/rfc2906.txt- For example, this is a fundamental requirement for the mobile IP -- ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This states that AAA entities may have to maintain state and act when ../data/rfc/rfc2906.txt- the state indicates some condition has been met. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt-2.7.3 Within a single session or transaction, it MUST be possible to ../data/rfc/rfc2906.txt: interleave authentication, authorization and accounting AAA messages. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This states, that e.g. a session may have to use initial ../data/rfc/rfc2906.txt: authentication, authorization and accounting AAA message(s), but also ../data/rfc/rfc2906.txt- have to include e.g. re-authentication every 30 minutes, or a ../data/rfc/rfc2906.txt: continuous "drip-drip" of accounting AAA messages. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt-2.7.4 Authorization decisions may result in a "not ready" answer. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This states that yes and no are not the only outcomes of an ../data/rfc/rfc2906.txt- authorization decision. In particular, if the AAA entity cannot yet -- ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This is necessary to be able to scale a AAA solution where there are ../data/rfc/rfc2906.txt- many requestors. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt-2.10.4 AAA protocols MUST be able to support a linkage between ../data/rfc/rfc2906.txt: authorization and accounting mechanisms. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- Motherhood and apple-pie. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- -- ../data/rfc/rfc2906.txt-3. Security Considerations ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This document includes specific security requirements. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- This document does not state any detailed requirements for the ../data/rfc/rfc2906.txt: interplay with authentication, accounting or accountability (audit). ../data/rfc/rfc2906.txt- A AAA protocol, which meets all of the above requirements, may still ../data/rfc/rfc2906.txt- leave vulnerabilities due to such interactions. Such issues must be ../data/rfc/rfc2906.txt- considered as part of AAA protocol design. ../data/rfc/rfc2906.txt- ../data/rfc/rfc2906.txt- -- ../data/rfc/rfc7906.txt- The integer encoding should be used when it is important to ../data/rfc/rfc7906.txt- keep key package size to a minimum. ../data/rfc/rfc7906.txt- ../data/rfc/rfc7906.txt- o The registerID is OPTIONAL. For electronic keying material, ../data/rfc/rfc7906.txt- the registerID is usually omitted. The registerID is an ../data/rfc/rfc7906.txt: accounting number assigned to identify Communications Security ../data/rfc/rfc7906.txt- (COMSEC) material. The registerID is either a single value or ../data/rfc/rfc7906.txt- a range. ../data/rfc/rfc7906.txt- ../data/rfc/rfc7906.txt- o The segmentID is OPTIONAL, and it distinguishes the individual ../data/rfc/rfc7906.txt- symmetric keys delivered in one edition. A unique -- ../data/rfc/rfc6942.txt- with an unknown EAP code. ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt-10. IANA Considerations ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt- IANA has registered the following new elements in the Authentication, ../data/rfc/rfc6942.txt: Authorization, and Accounting (AAA) Parameters registries ../data/rfc/rfc6942.txt- [AAAPARAMS]. ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt-10.1. Diameter Application Identifier ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt- IANA has allocated a new value "Diameter ERP" (code: 13) in the -- ../data/rfc/rfc6942.txt- October 2012. ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt-14.2. Informative References ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt- [AAAPARAMS] Internet Assigned Numbers Authority, "Authentication, ../data/rfc/rfc6942.txt: Authorization, and Accounting (AAA) Parameters", ../data/rfc/rfc6942.txt- <http://www.iana.org/assignments/aaa-parameters/>. ../data/rfc/rfc6942.txt- ../data/rfc/rfc6942.txt- [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. ../data/rfc/rfc6942.txt- Arkko, "Diameter Base Protocol", RFC 3588, September ../data/rfc/rfc6942.txt- 2003. -- ../data/rfc/rfc231.txt-could be taken to constructing a uniform access to subsystems from the ../data/rfc/rfc231.txt-supervisor. In like fashion, a network standard interrupt could be ../data/rfc/rfc231.txt-translated into the escape (e.g., control C) of the serving host to ../data/rfc/rfc231.txt-return from a subsystem. ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt:Charging Algorithms and Accounting Protocol ../data/rfc/rfc231.txt-------------------------------------------- ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt- To accurately forecast costs, a normalized formula for machine ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt- [Page 2] ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt:time estimation is needed. Technically, an accounting protocol is ../data/rfc/rfc231.txt-easily added at the subnet and/or NCP levels--the relevant information ../data/rfc/rfc231.txt-is the same for all nodes, thus the Net charges are readily determined ../data/rfc/rfc231.txt-by any node. More difficult is the prediction and comparison of host ../data/rfc/rfc231.txt-charges. Like the login procedure example, each host uses the same ../data/rfc/rfc231.txt-ingredients, namely storage, I/O, connect time, and CPU resources ../data/rfc/rfc231.txt-expended. Again, like the login procedure the information is handled ../data/rfc/rfc231.txt-slightly dif- ferently in each case such that estimations are ../data/rfc/rfc231.txt-difficult. For example, some charge algorithms represent I/O as ../data/rfc/rfc231.txt-counts of I/O transactions where others clock I/O time. Without ../data/rfc/rfc231.txt:significantly perturbing anyone's local accounting proce- dures, it is ../data/rfc/rfc231.txt-desirable to normalize the charge components as a step toward ../data/rfc/rfc231.txt-reasonable cost comparisons and forecast- ing. ../data/rfc/rfc231.txt- ../data/rfc/rfc231.txt-Off-Line Services ../data/rfc/rfc231.txt------------------ . -- ../data/rfc/rfc7378.txt- calls, even for customers with whom they have no direct or indirect ../data/rfc/rfc7378.txt- relationship. To provide identity information about the emergency ../data/rfc/rfc7378.txt- caller from the VSP, it would be necessary to let the IAP and the VSP ../data/rfc/rfc7378.txt- interact for authentication (see, for example, "Diameter Session ../data/rfc/rfc7378.txt- Initiation Protocol (SIP) Application" [RFC4740]). This interaction ../data/rfc/rfc7378.txt: along the Authentication, Authorization, and Accounting ../data/rfc/rfc7378.txt- infrastructure is often based on business relationships between the ../data/rfc/rfc7378.txt- involved entities. An arbitrary IAP and VSP are unlikely to have a ../data/rfc/rfc7378.txt- business relationship. If the interaction between the IAP and the ../data/rfc/rfc7378.txt- VSP fails due to the lack of a business relationship, then typically ../data/rfc/rfc7378.txt- a fall-back would be provided where no emergency caller identity -- ../data/rfc/rfc5418.txt- authenticate prior to being granted access, and in enterprise ../data/rfc/rfc5418.txt- deployments, this is frequently accomplished using [8021X]. When ../data/rfc/rfc5418.txt- using IEEE 802.11, this mode is called a Robust Security Network ../data/rfc/rfc5418.txt- (RSN) [80211I]. Here, the client is called the "supplicant", the AP ../data/rfc/rfc5418.txt- is the "authenticator", and either the AP or an external ../data/rfc/rfc5418.txt: Authentication, Authorization, and Accounting (AAA) server fulfill ../data/rfc/rfc5418.txt- the role of "authentication server", depending on the authentication ../data/rfc/rfc5418.txt- mechanism used. ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- From the perspective of the network administrator, the wired LAN to ../data/rfc/rfc5418.txt- which the AP is attached is typically considered to be more trusted -- ../data/rfc/rfc5418.txt-RFC 5418 CAPWAP 802.11 Threat Analysis March 2009 ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt-2. Abbreviations and Definitions ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt: o AAA - Authentication Authorization and Accounting ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- o AC - Access Controller ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- o AES-CCMP - Advanced Encryption Standard - Counter-mode CBC MAC ../data/rfc/rfc5418.txt- Protocol -- ../data/rfc/rfc5418.txt- [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible ../data/rfc/rfc5418.txt- Authentication Protocol (EAP) Application", RFC 4072, ../data/rfc/rfc5418.txt- August 2005. ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5418.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc5418.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- ../data/rfc/rfc5418.txt- -- ../data/rfc/rfc1550.txt- ../data/rfc/rfc1550.txt- 5.11 Datagram service - Existing IP service is "best effort" and ../data/rfc/rfc1550.txt- based on hop-by-hop routed datagrams. What requirements for this ../data/rfc/rfc1550.txt- paradigm influence the IPng selection? ../data/rfc/rfc1550.txt- ../data/rfc/rfc1550.txt: 5.12 Accounting - How important a consideration should the ability to ../data/rfc/rfc1550.txt: do accounting be in the selection of an IPng? What, if any, ../data/rfc/rfc1550.txt: features should be included in an IPng to support accounting ../data/rfc/rfc1550.txt- functions? ../data/rfc/rfc1550.txt- ../data/rfc/rfc1550.txt- 5.13 Support of communication media - IPv4 can be supported over most ../data/rfc/rfc1550.txt- known types of communications media. How important is this same ../data/rfc/rfc1550.txt- flexibility to an IPng? -- ../data/rfc/rfc3387.txt- The majority of current activity on higher level management functions ../data/rfc/rfc3387.txt- for IP networks have been restricted to the issue of providing QoS. ../data/rfc/rfc3387.txt- Many service issues still remain to be resolved with respect to the ../data/rfc/rfc3387.txt- current best effort paradigm and many more can be expected if true ../data/rfc/rfc3387.txt- QoS support is realized. Authentication, authorization and ../data/rfc/rfc3387.txt: accounting services still inadequate for the existing best effort ../data/rfc/rfc3387.txt- service will need additional work to support QoS services. ../data/rfc/rfc3387.txt- ../data/rfc/rfc3387.txt- It is reasonable that services can be classified into application ../data/rfc/rfc3387.txt- level services and transport level services. Transport services are ../data/rfc/rfc3387.txt- the services that the network provides independent of any -- ../data/rfc/rfc3387.txt- the configuration of a path between two endpoints. Even within this ../data/rfc/rfc3387.txt- limited scope there still remains many unresolved issues. There is ../data/rfc/rfc3387.txt- no expectation that a QoS path for traffic between two points needs ../data/rfc/rfc3387.txt- to be, or should be, the same in both directions. Given that there ../data/rfc/rfc3387.txt- will be an originator of the connection there are questions about how ../data/rfc/rfc3387.txt: billing and accounting with be resolved if the return path is ../data/rfc/rfc3387.txt- established by a different provider then that of the originator of ../data/rfc/rfc3387.txt- the connection. To facilitate billing a method will need to exist ../data/rfc/rfc3387.txt- that permits the application originating the call to pay also for the ../data/rfc/rfc3387.txt- return path and also for collect calls to be made. 3rd party ../data/rfc/rfc3387.txt- -- ../data/rfc/rfc3387.txt- configuration, fault detection, and recovery. Network devices will ../data/rfc/rfc3387.txt- need to inform the management system of their available resources and ../data/rfc/rfc3387.txt- the management system will need to tell devices how and where to ../data/rfc/rfc3387.txt- forward data. ../data/rfc/rfc3387.txt- ../data/rfc/rfc3387.txt: Between administrative regions accounting, service signaling, and ../data/rfc/rfc3387.txt- service verification will be needed. At the administrative ../data/rfc/rfc3387.txt- boundaries of the network functions similar to those provided at the ../data/rfc/rfc3387.txt- edge will be necessary. Peer entities in different administrative ../data/rfc/rfc3387.txt- domains would signal their needs across the boundary. Verification ../data/rfc/rfc3387.txt- at the boundary could then occur consistent with the verification at -- ../data/rfc/rfc6622.txt- This document specifies ../data/rfc/rfc6622.txt- ../data/rfc/rfc6622.txt- o Two TLVs for carrying Integrity Check Values (ICVs) and timestamps ../data/rfc/rfc6622.txt- in packets, messages, and address blocks as defined by [RFC5444]. ../data/rfc/rfc6622.txt- ../data/rfc/rfc6622.txt: o A generic framework for ICVs, accounting (for Message TLVs) for ../data/rfc/rfc6622.txt- mutable message header fields (<msg-hop-limit> and ../data/rfc/rfc6622.txt- <msg-hop-count>), where these fields are present in messages. ../data/rfc/rfc6622.txt- ../data/rfc/rfc6622.txt- This document sets up IANA registries for recording code points for ../data/rfc/rfc6622.txt- hash-function and ICV calculation, respectively. -- ../data/rfc/rfc2210.txt- ../data/rfc/rfc2210.txt- Several types of data must be transported between applications and ../data/rfc/rfc2210.txt- network elements to correctly invoke QoS control services. ../data/rfc/rfc2210.txt- ../data/rfc/rfc2210.txt- NOTE: In addition to the data used to directly invoke QoS control ../data/rfc/rfc2210.txt: services, RSVP carries authentication, accounting, and policy ../data/rfc/rfc2210.txt- information needed to manage the use of these services. This note ../data/rfc/rfc2210.txt- is concerned only with the RSVP objects needed to actually invoke ../data/rfc/rfc2210.txt: QoS control services, and does not discuss accounting or policy ../data/rfc/rfc2210.txt- objects. ../data/rfc/rfc2210.txt- ../data/rfc/rfc2210.txt- This data includes: ../data/rfc/rfc2210.txt- ../data/rfc/rfc2210.txt- - Information generated by each receiver describing the QoS -- ../data/rfc/rfc4655.txt- For example, stateless PCEs may compute paths based on current TED ../data/rfc/rfc4655.txt- information, which could be out of sync with actual network state ../data/rfc/rfc4655.txt- given other recent PCE-computed paths changes. Note that a PCC may ../data/rfc/rfc4655.txt- include a set of previously computed paths in its request, in order ../data/rfc/rfc4655.txt- to take them into account, for instance, to avoid double bandwidth ../data/rfc/rfc4655.txt: accounting or to try to minimize changes (minimum perturbation ../data/rfc/rfc4655.txt- problem). ../data/rfc/rfc4655.txt- ../data/rfc/rfc4655.txt- ../data/rfc/rfc4655.txt- ../data/rfc/rfc4655.txt- -- ../data/rfc/rfc4072.txt- 2.3.3. Scenario 3: Direct EAP, Authorization via Agents ..9 ../data/rfc/rfc4072.txt- 2.3.4. Scenario 4: Proxy Agents .........................10 ../data/rfc/rfc4072.txt- 2.4. Invalid Packets .........................................10 ../data/rfc/rfc4072.txt- 2.5. Retransmission ..........................................11 ../data/rfc/rfc4072.txt- 2.6. Fragmentation ...........................................12 ../data/rfc/rfc4072.txt: 2.7. Accounting ..............................................12 ../data/rfc/rfc4072.txt- 2.8. Usage Guidelines ........................................13 ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt-Eronen, et al. Standards Track [Page 1] -- ../data/rfc/rfc4072.txt- 4.1. New AVPs ................................................18 ../data/rfc/rfc4072.txt- 4.1.1. EAP-Payload AVP ..................................18 ../data/rfc/rfc4072.txt- 4.1.2. EAP-Reissued-Payload AVP .........................18 ../data/rfc/rfc4072.txt- 4.1.3. EAP-Master-Session-Key AVP .......................19 ../data/rfc/rfc4072.txt- 4.1.4. EAP-Key-Name AVP .................................19 ../data/rfc/rfc4072.txt: 4.1.5. Accounting-EAP-Auth-Method AVP ...................19 ../data/rfc/rfc4072.txt- 5. AVP Occurrence Tables .........................................19 ../data/rfc/rfc4072.txt- 5.1. EAP Command AVP Table ...................................20 ../data/rfc/rfc4072.txt: 5.2. Accounting AVP Table ....................................21 ../data/rfc/rfc4072.txt- 6. RADIUS/Diameter Interactions ..................................22 ../data/rfc/rfc4072.txt- 6.1. RADIUS Request Forwarded as Diameter Request ............22 ../data/rfc/rfc4072.txt- 6.2. Diameter Request Forwarded as RADIUS Request ............23 ../data/rfc/rfc4072.txt: 6.3. Accounting Requests .....................................24 ../data/rfc/rfc4072.txt- 7. IANA Considerations ...........................................24 ../data/rfc/rfc4072.txt- 8. Security Considerations .......................................24 ../data/rfc/rfc4072.txt- 8.1. Overview ................................................24 ../data/rfc/rfc4072.txt- 8.2. AVP Editing .............................................26 ../data/rfc/rfc4072.txt- 8.3. Negotiation Attacks .....................................27 -- ../data/rfc/rfc4072.txt- 802.11, the RADIUS server may send an EAP packet as large as ../data/rfc/rfc4072.txt- Framed-MTU minus four (4) octets, taking into account the additional ../data/rfc/rfc4072.txt- overhead for the IEEE 802.1X Version (1 octet), Type (1 octet) and ../data/rfc/rfc4072.txt- Body Length (2 octets) fields. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt:2.7. Accounting ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- When a user is authenticated using EAP, the NAS MAY include an ../data/rfc/rfc4072.txt: Accounting-Auth-Method AVP [NASREQ] with value 5 (EAP) in ../data/rfc/rfc4072.txt: Accounting-Request messages. This document specifies one additional ../data/rfc/rfc4072.txt: AVP for accounting messages. One or more Accounting-EAP-Auth-Method ../data/rfc/rfc4072.txt: AVPs (see Section 4.1.5) MAY be included in Accounting-Request ../data/rfc/rfc4072.txt- messages to indicate the EAP method(s) used to authenticate the user. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- If the NAS has authenticated the user with a locally implemented EAP ../data/rfc/rfc4072.txt- method, it knows the method used and SHOULD include it in an ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method AVP. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- If the authentication was done using Diameter-EAP-Request/Answer ../data/rfc/rfc4072.txt- messages, the Diameter server SHOULD include one or more ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method AVPs in Diameter-EAP-Answer packets with a ../data/rfc/rfc4072.txt- successful result code. In this case, the NAS SHOULD include these ../data/rfc/rfc4072.txt: AVPs in Accounting-Request messages. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt- the user's identity by inserting a User-Name AVP to ../data/rfc/rfc4072.txt- Diameter-EAP-Answer messages that have a Result-Code of ../data/rfc/rfc4072.txt- DIAMETER_SUCCESS. A separate billing identifier or pseudonym MAY be ../data/rfc/rfc4072.txt- used for privacy reasons (see Section 8.5). If the user's identity ../data/rfc/rfc4072.txt- is not available to the NAS, the Session-Id AVP MAY be used for ../data/rfc/rfc4072.txt: accounting and billing; however operationally this could be very ../data/rfc/rfc4072.txt- difficult to manage. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt-2.8.2. Conflicting AVPs ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- A Diameter-EAP-Answer message containing an EAP-Payload of type -- ../data/rfc/rfc4072.txt- used, and the commands follow the rules and ABNF defined in [NASREQ]. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- When the Re-Auth-Request (RAR), Re-Auth-Answer (RAA), ../data/rfc/rfc4072.txt- Session-Termination-Request (STR), Session-Termination-Answer (STA), ../data/rfc/rfc4072.txt- Abort-Session-Request (ASR), Abort-Session-Answer (ASA), ../data/rfc/rfc4072.txt: Accounting-Request (ACR), and Accounting-Answer (ACA) commands are ../data/rfc/rfc4072.txt- used together with the Diameter EAP application, they follow the ../data/rfc/rfc4072.txt: rules in [NASREQ] and [BASE]. The accounting commands use ../data/rfc/rfc4072.txt: Application Identifier value of 3 (Diameter Base Accounting); the ../data/rfc/rfc4072.txt- others use 0 (Diameter Common Messages). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt-3.1. Diameter-EAP-Request (DER) Command ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- The Diameter-EAP-Request (DER) command, indicated by the Command-Code -- ../data/rfc/rfc4072.txt- [ EAP-Payload ] ../data/rfc/rfc4072.txt- [ EAP-Reissued-Payload ] ../data/rfc/rfc4072.txt- [ EAP-Master-Session-Key ] ../data/rfc/rfc4072.txt- [ EAP-Key-Name ] ../data/rfc/rfc4072.txt- [ Multi-Round-Time-Out ] ../data/rfc/rfc4072.txt: [ Accounting-EAP-Auth-Method ] ../data/rfc/rfc4072.txt- [ Service-Type ] ../data/rfc/rfc4072.txt- * [ Class ] ../data/rfc/rfc4072.txt- * [ Configuration-Token ] ../data/rfc/rfc4072.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc4072.txt- [ Error-Message ] -- ../data/rfc/rfc4072.txt- Diameter-EAP-Request with a Key-Name AVP with non-empty data MUST ../data/rfc/rfc4072.txt- silently discard the AVP. In addition, the home Diameter server ../data/rfc/rfc4072.txt- SHOULD include this AVP in Diameter-EAP-Response only if an empty ../data/rfc/rfc4072.txt- EAP-Key-Name AVP was present in Diameter-EAP-Request. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt:4.1.5. Accounting-EAP-Auth-Method AVP ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt: The Accounting-EAP-Auth-Method AVP (AVP Code 465) is of type ../data/rfc/rfc4072.txt- Unsigned64. In case of expanded types [EAP, Section 5.7], this AVP ../data/rfc/rfc4072.txt- contains the value ((Vendor-Id * 2^32) + Vendor-Type). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- The use of this AVP is described in Section 2.7. ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt- +---------------+ ../data/rfc/rfc4072.txt- | Command-Code | ../data/rfc/rfc4072.txt- |-------+-------+ ../data/rfc/rfc4072.txt- Attribute Name | DER | DEA | ../data/rfc/rfc4072.txt- ------------------------------------|-------+-------| ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method | 0 | 0+ | ../data/rfc/rfc4072.txt- Acct-Interim-Interval [BASE] | 0 | 0-1 | ../data/rfc/rfc4072.txt- Auth-Application-Id [BASE] | 1 | 1 | ../data/rfc/rfc4072.txt- Auth-Grace-Period [BASE] | 0-1 | 0-1 | ../data/rfc/rfc4072.txt- Auth-Request-Type [BASE] | 1 | 1 | ../data/rfc/rfc4072.txt- Auth-Session-State [BASE] | 0-1 | 0-1 | -- ../data/rfc/rfc4072.txt- Session-Timeout [BASE] | 0 | 0-1 | ../data/rfc/rfc4072.txt- State [NASREQ] | 0-1 | 0-1 | ../data/rfc/rfc4072.txt- Tunneling [NASREQ] | 0+ | 0+ | ../data/rfc/rfc4072.txt- User-Name [BASE] | 0-1 | 0-1 | ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt:5.2. Accounting AVP Table ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- The table in this section is used to represent which AVPs defined in ../data/rfc/rfc4072.txt: this document are to be present in the Accounting messages, as ../data/rfc/rfc4072.txt- defined in [BASE]. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- +-----------+ ../data/rfc/rfc4072.txt- | Command | ../data/rfc/rfc4072.txt- | Code | ../data/rfc/rfc4072.txt- |-----+-----+ ../data/rfc/rfc4072.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc4072.txt- ---------------------------------------|-----+-----+ ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method | 0+ | 0 | ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt- attributes [RFC2548]. The first up to 32 octets of the key is ../data/rfc/rfc4072.txt- stored into MS-MPPE-Recv-Key, and the next up to 32 octets (if ../data/rfc/rfc4072.txt- present) are stored into MS-MPPE-Send-Key. The encryption of this ../data/rfc/rfc4072.txt- attribute is described in [RFC2548]. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt: o Diameter Accounting-EAP-Auth-Method AVPs, if present, are ../data/rfc/rfc4072.txt- discarded. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt- translated to an empty RADIUS EAP-Message attribute. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o The type (or expanded type) field from the EAP-Payload AVP can be ../data/rfc/rfc4072.txt- saved either in a local state table, or encoded in a RADIUS ../data/rfc/rfc4072.txt- Proxy-State attribute. This information is needed to construct an ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method AVP for the answer message (see below). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- RADIUS Access-Accept/Reject/Challenge to Diameter-EAP-Answer: ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o If the RADIUS Access-Challenge message does not contain an ../data/rfc/rfc4072.txt- Error-Cause attribute [RFC3576] with value 202 (decimal), "Invalid -- ../data/rfc/rfc4072.txt- MS-MPPE-Send-Key next), and the concatenated value is stored into ../data/rfc/rfc4072.txt- a Diameter EAP-Master-Session-Key AVP. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o If the Diameter-EAP-Answer will have a successful result code, the ../data/rfc/rfc4072.txt- saved state (see above) can be used to construct an ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method AVP. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt-Eronen, et al. Standards Track [Page 23] ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt-RFC 4072 Diameter EAP Application August 2005 ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt:6.3. Accounting Requests ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt: In Accounting-Requests, the vendor-specific RADIUS MS-Acct-EAP-Type ../data/rfc/rfc4072.txt- attribute [RFC2548] can be translated to a Diameter ../data/rfc/rfc4072.txt: Accounting-EAP-Auth-Method AVP, and vice versa. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- When translating from Diameter to RADIUS, note that the ../data/rfc/rfc4072.txt- MS-Acct-EAP-Type attribute does not support expanded EAP types. Type ../data/rfc/rfc4072.txt- values greater than 255 should be translated to type 254. ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc4072.txt- from the AVP Code namespace defined in [BASE] as follows: ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- 462 for EAP-Payload (defined in Section 4.1.1), ../data/rfc/rfc4072.txt- 463 for EAP-Reissued-Payload (defined in Section 4.1.2), ../data/rfc/rfc4072.txt- 464 for EAP-Master-Session-Key (defined in Section 4.1.3), and ../data/rfc/rfc4072.txt: 465 for Accounting-EAP-Auth-Method (defined in Section 4.1.5). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o This document defines one new AVP (attribute) whose AVP Code ../data/rfc/rfc4072.txt- (Attribute Type) is to be allocated from the Attribute Type ../data/rfc/rfc4072.txt- namespace defined in [RFC2865] and [RFC3575]. The Radius ../data/rfc/rfc4072.txt- Attribute Type for EAP-Key-Name (defined in Section 4.1.4) is 102. -- ../data/rfc/rfc4072.txt- o Modify Calling-Station-ID (either to hide the true value, gain ../data/rfc/rfc4072.txt- access, or frame someone else). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o Modify password change messages (some vendor-specific attributes). ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt: o Modify usage information in accounting messages. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- o Modify contents of Class and State AVPs. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- Some of these attacks can be prevented if the NAS or server is ../data/rfc/rfc4072.txt- configured to not accept some particular AVPs, or accepts them only -- ../data/rfc/rfc4072.txt- inside EAP-Payload AVPs, and it may be possible to eavesdrop this ../data/rfc/rfc4072.txt- between the user and the NAS. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- This can be mitigated somewhat by using EAP methods that provide ../data/rfc/rfc4072.txt- identity protection (see [EAP], Section 7.3), and using Session-Id or ../data/rfc/rfc4072.txt: pseudonyms for accounting. ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt- ../data/rfc/rfc4072.txt-Eronen, et al. Standards Track [Page 28] ../data/rfc/rfc4072.txt- -- ../data/rfc/rfc6440.txt- ../data/rfc/rfc6440.txt-2.2. Acronyms ../data/rfc/rfc6440.txt- ../data/rfc/rfc6440.txt- o FQDN: Fully Qualified Domain Name ../data/rfc/rfc6440.txt- ../data/rfc/rfc6440.txt: o AAA: Authentication, Authorization, and Accounting ../data/rfc/rfc6440.txt- ../data/rfc/rfc6440.txt- o DSRK: Domain-Specific Root Key ../data/rfc/rfc6440.txt- ../data/rfc/rfc6440.txt-3. Option Format ../data/rfc/rfc6440.txt- -- ../data/rfc/rfc4149.txt- ../data/rfc/rfc4149.txt-5.6. RTFM ../data/rfc/rfc4149.txt- ../data/rfc/rfc4149.txt- The Realtime Traffic Flow Measurement (RTFM) working group is ../data/rfc/rfc4149.txt- concerned with issues relating to traffic flow measurements and usage ../data/rfc/rfc4149.txt: reporting for network traffic and Internet accounting. Various ../data/rfc/rfc4149.txt- documents exist that describe requirements [RFC1272], traffic flow ../data/rfc/rfc4149.txt- measurement architectures [RFC2722], and a traffic flow MIB ../data/rfc/rfc4149.txt- [RFC2720]. The work in this group is focused on passive measurements ../data/rfc/rfc4149.txt- of user traffic. As such, its work is related to the monitoring work ../data/rfc/rfc4149.txt- within the RMON WG. Fundamentally, their attention has not been -- ../data/rfc/rfc4149.txt- [RFC4150] Dietz, R. and R. Cole, "Transport Performance Metrics ../data/rfc/rfc4149.txt- MIB", RFC 4150, August 2005. ../data/rfc/rfc4149.txt- ../data/rfc/rfc4149.txt-11. Informative References ../data/rfc/rfc4149.txt- ../data/rfc/rfc4149.txt: [RFC1272] Mills, C., Hirsch, G., and G. Ruth, "Internet Accounting ../data/rfc/rfc4149.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc4149.txt- ../data/rfc/rfc4149.txt- [RFC2021] Waldbusser, S., "Remote Network Monitoring Management ../data/rfc/rfc4149.txt- Information Base Version 2 using SMIv2", RFC 2021, ../data/rfc/rfc4149.txt- January 1997. -- ../data/rfc/rfc2150.txt- what hardware and OS you'll need, there are a great deal of software ../data/rfc/rfc2150.txt- packages available to help you with all sorts of things on the ../data/rfc/rfc2150.txt- computer. ../data/rfc/rfc2150.txt- ../data/rfc/rfc2150.txt- Software designed to make your life easier by using your computer, ../data/rfc/rfc2150.txt: include dictionaries and other reference materials, accounting, ../data/rfc/rfc2150.txt- bookkeeping desktop publishing and other business needs software, as ../data/rfc/rfc2150.txt- ../data/rfc/rfc2150.txt- ../data/rfc/rfc2150.txt- ../data/rfc/rfc2150.txt- -- ../data/rfc/rfc725.txt-such as status or help. ../data/rfc/rfc725.txt- ../data/rfc/rfc725.txt-x2z Connection - Replies referring to the Telnet and data ../data/rfc/rfc725.txt-connections. ../data/rfc/rfc725.txt- ../data/rfc/rfc725.txt:x3z Authentication and accounting - Replies for the logon process ../data/rfc/rfc725.txt-and accountng procedures. ../data/rfc/rfc725.txt- ../data/rfc/rfc725.txt-x4z Unspecified as yet. ../data/rfc/rfc725.txt- ../data/rfc/rfc725.txt-x5z File system - These replies indicate the status of the Server -- ../data/rfc/rfc2809.txt-4.1.1. NAS authentication ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- With this approach, authentication and authorization (including ../data/rfc/rfc2809.txt- tunneling information) occurs once, at the NAS. The advantages of ../data/rfc/rfc2809.txt- this approach are that it disallows network access for unauthorized ../data/rfc/rfc2809.txt: NAS users, and permits accounting to done at the NAS. Disadvantages ../data/rfc/rfc2809.txt- are that it requires that the tunnel server trust the NAS, since no ../data/rfc/rfc2809.txt- user authentication occurs at the tunnel server. Due to the lack of ../data/rfc/rfc2809.txt: user authentication, accounting cannot take place at the tunnel ../data/rfc/rfc2809.txt- server with strong assurance that the correct party is being billed. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- NAS-only authentication is most typically employed along with LCP ../data/rfc/rfc2809.txt- forwarding and tunnel authentication, both of which are supported in ../data/rfc/rfc2809.txt- L2TP, described in [2]. Thus, the tunnel server can be set up to -- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- With this approach, authentication and authorization occurs once at ../data/rfc/rfc2809.txt- the NAS and the RADIUS reply is forwarded to the tunnel server. This ../data/rfc/rfc2809.txt- approach disallows network access for unauthorized NAS users; does ../data/rfc/rfc2809.txt- not require trust between the NAS and tunnel server; and allows for ../data/rfc/rfc2809.txt: accounting to be done at both ends of the tunnel. However, it also ../data/rfc/rfc2809.txt- requires that both ends share the same secret with the RADIUS server, ../data/rfc/rfc2809.txt- since that is the only way that the tunnel server can check the ../data/rfc/rfc2809.txt- RADIUS Access-Reply. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In this approach, the tunnel server will share secrets with all the -- ../data/rfc/rfc2809.txt- allows the RADIUS server to authorize users based on the calling ../data/rfc/rfc2809.txt- phone number or to provide tunnel attributes based on the Calling- ../data/rfc/rfc2809.txt- Station-Id or Called-Station-Id. Similarly, in L2TP the tunnel ../data/rfc/rfc2809.txt- server MAY choose to reject or accept the call based on the Dialed ../data/rfc/rfc2809.txt- Number and Dialing Number included in the L2TP Incoming-Call-Request ../data/rfc/rfc2809.txt: packet sent by the NAS. Accounting can also take place based on the ../data/rfc/rfc2809.txt- Calling-Station-Id and Called-Station-Id. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- RADIUS as defined in [1] requires that an Access-Request packet ../data/rfc/rfc2809.txt- contain a User-Name attribute as well as either a CHAP-Password or ../data/rfc/rfc2809.txt- User-Password attribute, which must be non-empty. To satisfy this -- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- Send data through the tunnel ../data/rfc/rfc2809.txt- Re-negotiate LCP, ../data/rfc/rfc2809.txt- authenticate user, ../data/rfc/rfc2809.txt- bring up IPCP, ../data/rfc/rfc2809.txt: start accounting ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- -- ../data/rfc/rfc2809.txt- result, this scheme typically uses either the domain portion of the ../data/rfc/rfc2809.txt- userID or attribute-specific processing on the RADIUS server. Since ../data/rfc/rfc2809.txt- the user identity is never verified by the NAS, either the tunnel ../data/rfc/rfc2809.txt- server owner must be willing to be billed for all incoming calls, or ../data/rfc/rfc2809.txt- other information such as the Calling-Station-Id must be used to ../data/rfc/rfc2809.txt: verify the user's identity for accounting purposes. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In attribute-specific processing RADIUS may be employed and an ../data/rfc/rfc2809.txt- attribute is used to signal tunnel initiation. For example, tunnel ../data/rfc/rfc2809.txt- attributes can be sent back if the User-Password attribute contains a ../data/rfc/rfc2809.txt- dummy value (such as "tunnel" or "L2TP"). Alternatively, a userID -- ../data/rfc/rfc2809.txt- Another solution involves using the domain portion of the userID; all ../data/rfc/rfc2809.txt- users in domain X would be tunneled to address Y. This proposal ../data/rfc/rfc2809.txt- supports compulsory tunneling, but does not provide for user-based ../data/rfc/rfc2809.txt- tunneling. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt: In order for the NAS to start accounting on the connection, it would ../data/rfc/rfc2809.txt- need to use the identity claimed by the user in authenticating to the ../data/rfc/rfc2809.txt- tunnel server, since it did not verify the identity via RADIUS. ../data/rfc/rfc2809.txt: However, in order for that to be of any use in accounting, the tunnel ../data/rfc/rfc2809.txt- endpoint needs to have an account relationship with the NAS owner. ../data/rfc/rfc2809.txt- Thus even if a user has an account with the NAS owner, they cannot ../data/rfc/rfc2809.txt- use this account for tunneling unless the tunnel endpoint also has a ../data/rfc/rfc2809.txt- business relationship with the NAS owner. Thus this approach is ../data/rfc/rfc2809.txt- incompatible with roaming. -- ../data/rfc/rfc2809.txt- client. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In performing the PPP authentication, the tunnel server can access ../data/rfc/rfc2809.txt- its own user database, or it MAY send a RADIUS Access-Request. After ../data/rfc/rfc2809.txt- the tunnel has been brought up, the NAS and tunnel server can start ../data/rfc/rfc2809.txt: accounting. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- -- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- Send data through the tunnel ../data/rfc/rfc2809.txt- Re-negotiate LCP, ../data/rfc/rfc2809.txt- authenticate user, ../data/rfc/rfc2809.txt- bring up IPCP, ../data/rfc/rfc2809.txt: start accounting ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt-4.2. Dual authentication ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In this scheme, authentication occurs both at the NAS and the tunnel ../data/rfc/rfc2809.txt- server. This requires the dial-up client to handle dual -- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt-RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000 ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- Advantages of dual authentication include support for authentication ../data/rfc/rfc2809.txt: and accounting at both ends of the tunnel; use of a single ../data/rfc/rfc2809.txt- userID/password pair via implementation of RADIUS on the tunnel ../data/rfc/rfc2809.txt- network server; no requirement for telephone-number based ../data/rfc/rfc2809.txt- authentication, or attribute-specific processing on the RADIUS ../data/rfc/rfc2809.txt- server. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt: Dual authentication allows for accounting records to be generated on ../data/rfc/rfc2809.txt- both the NAS and tunnel server ends, making auditing possible. Also ../data/rfc/rfc2809.txt- the tunnel endpoint does not need to have an account relationship ../data/rfc/rfc2809.txt- with the NAS owner, making this approach compatible with roaming. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- A disadvantage of dual authentication is that unless LCP forwarding -- ../data/rfc/rfc2809.txt- forwarding SHOULD NOT be employed. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In performing the PPP authentication, the tunnel server can access ../data/rfc/rfc2809.txt- its own user database, or it MAY send a RADIUS Access-Request. After ../data/rfc/rfc2809.txt- the tunnel has been brought up, the NAS and tunnel server can start ../data/rfc/rfc2809.txt: accounting. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- The interactions involved in initiation of a compulsory tunnel with ../data/rfc/rfc2809.txt- dual authentication are summarized below. ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- -- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- Send data through the tunnel ../data/rfc/rfc2809.txt- Re-negotiate LCP, ../data/rfc/rfc2809.txt- authenticate user, ../data/rfc/rfc2809.txt- bring up IPCP, ../data/rfc/rfc2809.txt: start accounting ../data/rfc/rfc2809.txt- ENDIF ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- -- ../data/rfc/rfc2809.txt- IF user disconnected ../data/rfc/rfc2809.txt- send ../data/rfc/rfc2809.txt- Call-Disconnect-Notify ../data/rfc/rfc2809.txt- message to tunnel server ../data/rfc/rfc2809.txt- Tear down the call ../data/rfc/rfc2809.txt: stop accounting ../data/rfc/rfc2809.txt- ELSE IF client requests ../data/rfc/rfc2809.txt- termination ../data/rfc/rfc2809.txt- send ../data/rfc/rfc2809.txt- Call-Clear-Request ../data/rfc/rfc2809.txt- to the NAS ../data/rfc/rfc2809.txt- Send ../data/rfc/rfc2809.txt- Call-Disconnect-Notify ../data/rfc/rfc2809.txt- message to tunnel server ../data/rfc/rfc2809.txt- Disconnect the user ../data/rfc/rfc2809.txt- Tear down the call ../data/rfc/rfc2809.txt: stop accounting ../data/rfc/rfc2809.txt- ENDIF ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt-6. Use of distinct RADIUS servers ../data/rfc/rfc2809.txt- ../data/rfc/rfc2809.txt- In the case that the NAS and the tunnel server are using distinct -- ../data/rfc/rfc2486.txt- ../data/rfc/rfc2486.txt- [2] Rigney C., Rubens A., Simpson W. and S. Willens, "Remote ../data/rfc/rfc2486.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, April ../data/rfc/rfc2486.txt- 1997. ../data/rfc/rfc2486.txt- ../data/rfc/rfc2486.txt: [3] Rigney C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2486.txt- ../data/rfc/rfc2486.txt- [4] Mockapetris, P., "Domain Names - Implementation and ../data/rfc/rfc2486.txt- Specification", STD 13, RFC 1035, November 1987. ../data/rfc/rfc2486.txt- ../data/rfc/rfc2486.txt- [5] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC 821, -- ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt-2.7. Errors and Uncertainties: ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt- The description of any specific measurement method should include an ../data/rfc/rfc2681.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc2681.txt- The Framework document provides general guidance on this point, but ../data/rfc/rfc2681.txt- we note here the following specifics related to delay metrics: ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt- + Errors or uncertainties due to uncertainty in the clock of the Src ../data/rfc/rfc2681.txt- host. -- ../data/rfc/rfc2681.txt- + Errors or uncertainties due to time required by the Dst to receive ../data/rfc/rfc2681.txt- the packet from the Src and send the corresponding response. ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt- In addition, the loss threshold may affect the results. Each of ../data/rfc/rfc2681.txt- these are discussed in more detail below, along with a section ../data/rfc/rfc2681.txt: ("Calibration") on accounting for these errors and uncertainties. ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt-2.7.1. Errors or Uncertainties Related to Clocks ../data/rfc/rfc2681.txt- ../data/rfc/rfc2681.txt- The uncertainty in a measurement of round-trip delay is related, in ../data/rfc/rfc2681.txt- part, to uncertainty in the clock of the Src host. In the following, -- ../data/rfc/rfc1331.txt- Implementation Note: ../data/rfc/rfc1331.txt- ../data/rfc/rfc1331.txt- Mark idle (continuous ones) SHOULD NOT be used for idle ../data/rfc/rfc1331.txt- synchronous inter-frame time fill. However, certain types of ../data/rfc/rfc1331.txt- circuit-switched links require the use of mark idle, particularly ../data/rfc/rfc1331.txt: those that calculate accounting based on bit activity. When mark ../data/rfc/rfc1331.txt- idle is used on a synchronous link, the implementation MUST ensure ../data/rfc/rfc1331.txt- at least 15 consecutive "1" bits between Flags, and that the Flag ../data/rfc/rfc1331.txt- Sequence is generated at the beginning and end of a frame. ../data/rfc/rfc1331.txt- ../data/rfc/rfc1331.txt-Flag Sequence -- ../data/rfc/rfc1616.txt- allow providers to offer a better quality of service. There is ../data/rfc/rfc1616.txt- presently ongoing work within the IETF Working Group MADMAN to ../data/rfc/rfc1616.txt- define SNMP monitoring and managing of E-mail systems, gateways ../data/rfc/rfc1616.txt- and X.500 directory systems. A number of management areas that ../data/rfc/rfc1616.txt- need to be worked upon include: QOS, Service Level Agreements ../data/rfc/rfc1616.txt: (SLAs), Multiple system queue management, Accounting, Routing Co- ../data/rfc/rfc1616.txt- ../data/rfc/rfc1616.txt- ../data/rfc/rfc1616.txt- ../data/rfc/rfc1616.txt-RARE WG-MSG Task Force 88 [Page 10] ../data/rfc/rfc1616.txt- -- ../data/rfc/rfc1616.txt- - providing global messaging for all e-mail users, but ../data/rfc/rfc1616.txt- recognising the existing market realities of heterogeneous e- ../data/rfc/rfc1616.txt- mail systems, would be enhanced by the establishment of ../data/rfc/rfc1616.txt- gateways to X.400(1988). ../data/rfc/rfc1616.txt- ../data/rfc/rfc1616.txt: - being able to recover costs by charging and accounting for ../data/rfc/rfc1616.txt- messaging services back to users - this is especially ../data/rfc/rfc1616.txt- important for commercial service providers - is brought about ../data/rfc/rfc1616.txt- by the message auditing capabilities of X.400(1988). ../data/rfc/rfc1616.txt- ../data/rfc/rfc1616.txt- - communication with users that have no access to E-mail (for -- ../data/rfc/rfc7752.txt- 6.1.6. Verifying Correct Operation ........................39 ../data/rfc/rfc7752.txt- 6.2. Management Considerations .................................39 ../data/rfc/rfc7752.txt- 6.2.1. Management Information .............................39 ../data/rfc/rfc7752.txt- 6.2.2. Fault Management ...................................39 ../data/rfc/rfc7752.txt- 6.2.3. Configuration Management ...........................40 ../data/rfc/rfc7752.txt: 6.2.4. Accounting Management ..............................40 ../data/rfc/rfc7752.txt- 6.2.5. Performance Management .............................40 ../data/rfc/rfc7752.txt- 6.2.6. Security Management ................................41 ../data/rfc/rfc7752.txt- 7. TLV/Sub-TLV Code Points Summary ................................41 ../data/rfc/rfc7752.txt- 8. Security Considerations ........................................42 ../data/rfc/rfc7752.txt- 9. References .....................................................43 -- ../data/rfc/rfc7752.txt- ../data/rfc/rfc7752.txt- An implementation SHOULD allow the operator to configure a pair of ../data/rfc/rfc7752.txt- ASN and BGP-LS identifiers (Section 3.2.1.4) per flooding set in ../data/rfc/rfc7752.txt- which the node participates. ../data/rfc/rfc7752.txt- ../data/rfc/rfc7752.txt:6.2.4. Accounting Management ../data/rfc/rfc7752.txt- ../data/rfc/rfc7752.txt- Not Applicable. ../data/rfc/rfc7752.txt- ../data/rfc/rfc7752.txt-6.2.5. Performance Management ../data/rfc/rfc7752.txt- -- ../data/rfc/rfc5996.txt- included in the two messages following the one containing the EAP ../data/rfc/rfc5996.txt- Success message. ../data/rfc/rfc5996.txt- ../data/rfc/rfc5996.txt- When the initiator authentication uses EAP, it is possible that the ../data/rfc/rfc5996.txt- contents of the IDi payload is used only for Authentication, ../data/rfc/rfc5996.txt: Authorization, and Accounting (AAA) routing purposes and selecting ../data/rfc/rfc5996.txt- which EAP method to use. This value may be different from the ../data/rfc/rfc5996.txt- identity authenticated by the EAP method. It is important that ../data/rfc/rfc5996.txt- policy lookups and access control decisions use the actual ../data/rfc/rfc5996.txt- authenticated identity. Often the EAP server is implemented in a ../data/rfc/rfc5996.txt- separate AAA server that communicates with the IKEv2 responder. In -- ../data/rfc/rfc4331.txt- Server implementations store and account for their data in many ../data/rfc/rfc4331.txt- different ways. Some of the challenges: ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt- o Some server implementations find it prohibitive to count storage ../data/rfc/rfc4331.txt- used for metadata; others may choose to do so for better ../data/rfc/rfc4331.txt: accounting. ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt- o Older versions of resources may be stored as well. ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt- o Variants of one resource may exist with different content lengths. ../data/rfc/rfc4331.txt- -- ../data/rfc/rfc4331.txt- o Resource bodies can be compressed. ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt- o Some resources may be stored for "free", not counting against ../data/rfc/rfc4331.txt- quota. ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt: Since server storage accounting can vary so much, clients should ../data/rfc/rfc4331.txt- expect the following: ../data/rfc/rfc4331.txt- ../data/rfc/rfc4331.txt- o The size of a file on the client's file system, or in a PUT ../data/rfc/rfc4331.txt- message, may not correspond to the amount of storage required by ../data/rfc/rfc4331.txt- the server to store the resource. Thus, the client cannot predict -- ../data/rfc/rfc5850.txt- components include a SIP mixer, recording service, announcement ../data/rfc/rfc5850.txt- server, and voice-dialog server. (This is not an exhaustive ../data/rfc/rfc5850.txt- list). ../data/rfc/rfc5850.txt- ../data/rfc/rfc5850.txt- o Include authentication, authorization, policy, logging, and ../data/rfc/rfc5850.txt: accounting mechanisms to allow these primitives to be used safely ../data/rfc/rfc5850.txt- among mutually untrusted participants. Some of these mechanisms ../data/rfc/rfc5850.txt- may be used to assist in billing, but no specific billing system ../data/rfc/rfc5850.txt- will be endorsed. ../data/rfc/rfc5850.txt- ../data/rfc/rfc5850.txt- o Permit graceful fallback to baseline SIP. Definitions for new SIP -- ../data/rfc/rfc2881.txt- Network Access Server (NAS). The purpose of this effort is to set ../data/rfc/rfc2881.txt- the reference space for describing and evaluating NAS service ../data/rfc/rfc2881.txt- protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on ../data/rfc/rfc2881.txt- efforts like AAA Working Group, and the Diameter protocol [3]. These ../data/rfc/rfc2881.txt- are protocols for carrying user service information for ../data/rfc/rfc2881.txt: authentication, authorization, accounting, and auditing, between a ../data/rfc/rfc2881.txt- Network Access Server which desires to authenticate its incoming ../data/rfc/rfc2881.txt- calls and a shared authentication server. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-Table of Contents ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- 1. INTRODUCTION...................................................2 ../data/rfc/rfc2881.txt- 1.1 Scope of this Document ......................................2 ../data/rfc/rfc2881.txt- 1.2 Specific Terminology ........................................3 ../data/rfc/rfc2881.txt- 2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3 ../data/rfc/rfc2881.txt- 3. NAS SERVICES...................................................4 ../data/rfc/rfc2881.txt: 4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5 ../data/rfc/rfc2881.txt- 5. TYPICAL NAS OPERATION SEQUENCE:................................5 ../data/rfc/rfc2881.txt- 5.1 Characteristics of Systems and Sessions: ....................6 ../data/rfc/rfc2881.txt- 5.2 Separation of NAS and AAA server functions ..................7 ../data/rfc/rfc2881.txt- 5.3 Network Management and Administrative features ..............7 ../data/rfc/rfc2881.txt- 6. AUTHENTICATION METHODS.........................................8 -- ../data/rfc/rfc2881.txt- 9.1 A Reference Model of a NAS .................................10 ../data/rfc/rfc2881.txt- 9.2 Terminology ................................................11 ../data/rfc/rfc2881.txt- 9.3 Analysis ...................................................13 ../data/rfc/rfc2881.txt- 9.3.1 Authentication and Security .............................13 ../data/rfc/rfc2881.txt- 9.3.2 Authorization and Policy ................................14 ../data/rfc/rfc2881.txt: 9.3.3 Accounting and Auditing .................................14 ../data/rfc/rfc2881.txt- 9.3.4 Resource Management .....................................14 ../data/rfc/rfc2881.txt- 9.3.5 Virtual Private Networks (VPN's) ........................14 ../data/rfc/rfc2881.txt- 9.3.6 Service Quality .........................................15 ../data/rfc/rfc2881.txt- 9.3.7 Roaming .................................................15 ../data/rfc/rfc2881.txt- 10. SECURITY CONSIDERATIONS......................................15 -- ../data/rfc/rfc2881.txt-3. NAS Services ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- The core of what a NAS provides, are dynamic network services. What ../data/rfc/rfc2881.txt- distinguishes a NAS from a typical routing system, is that these ../data/rfc/rfc2881.txt- services are provided on a per-user basis, based on an authentication ../data/rfc/rfc2881.txt: and the service is accounted for. This accounting may lead to ../data/rfc/rfc2881.txt- policies and controls to limit appropriate usage to levels based on ../data/rfc/rfc2881.txt- the availability of network bandwidth, or service agreements between ../data/rfc/rfc2881.txt- the user and the provider. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Typical services include: -- ../data/rfc/rfc2881.txt-Mitton & Beadles Informational [Page 4] ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-RFC 2881 NASreq NAS Model July 2000 ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt:4. Authentication, Authorization and Accounting (AAA) Servers ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Because of the need to authenticate and account, and for practical ../data/rfc/rfc2881.txt- reasons of implementation, NAS systems have come to depend on ../data/rfc/rfc2881.txt- external server systems to implement authentication databases and ../data/rfc/rfc2881.txt: accounting recording. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- By separating these functions from the NAS equipment, they can be ../data/rfc/rfc2881.txt- implemented in general purpose computer systems, that may provide ../data/rfc/rfc2881.txt- better suited long term storage media, and more sophisticated ../data/rfc/rfc2881.txt- database software infrastructures. Not to mention that a centralized -- ../data/rfc/rfc2881.txt- (such as OS shell login, or Web Server access) from the same ../data/rfc/rfc2881.txt- provider, without creating separate passwords and accounts for the ../data/rfc/rfc2881.txt- user. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Session activity information is stored and processed to produce ../data/rfc/rfc2881.txt: accounting usage records. This is typically done with a long term ../data/rfc/rfc2881.txt- (nightly, weekly or monthly) batch type process. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- However, as network operations grow in sophistication, there are ../data/rfc/rfc2881.txt- requirements to provide real-time monitoring of port and user status, ../data/rfc/rfc2881.txt- so that the state information can be used to implement policy -- ../data/rfc/rfc2881.txt- - permanent serial connections (printers) ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-5.1 Characteristics of Systems and Sessions: ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Sessions must have a user identifier and authenticator to complete ../data/rfc/rfc2881.txt: the authentication process. Accounting starts from time of call or ../data/rfc/rfc2881.txt- service, though finer details are allowed. At the end of service, the ../data/rfc/rfc2881.txt- call may be disconnected or allow re-authentication for additional ../data/rfc/rfc2881.txt- services. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- -- ../data/rfc/rfc2881.txt- Authorization to run services are supplied and applied after ../data/rfc/rfc2881.txt- authentication. A NAS may abort call if session authorization ../data/rfc/rfc2881.txt- information disagrees with call characteristics. Some system ../data/rfc/rfc2881.txt- resources may be controlled by server driven policies ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt: Accounting messages are sent to the accounting server when service ../data/rfc/rfc2881.txt- begins, and ends, and possibly periodically during service delivery. ../data/rfc/rfc2881.txt: Accounting is not necessarily a real-time service, the NAS may be ../data/rfc/rfc2881.txt- queue and batch send event records. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-5.2 Separation of NAS and AAA server functions ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- As a distributed system, there is a separation of roles between the -- ../data/rfc/rfc2881.txt- - The process of providing a service may lead to requests for ../data/rfc/rfc2881.txt- additional information ../data/rfc/rfc2881.txt- - Service authorization may require real-time enforcement ../data/rfc/rfc2881.txt- (services may be based on Time of Day, or variable cost ../data/rfc/rfc2881.txt- debits) ../data/rfc/rfc2881.txt: - Session accounting information is tallied by the NAS and ../data/rfc/rfc2881.txt- reported to server ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-5.3 Network Management and Administrative features ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- The NAS system is presumed to have a method of configuration that -- ../data/rfc/rfc2881.txt- end user, and acts as a gateway for all further services. It is the ../data/rfc/rfc2881.txt- point at which users are authenticated, access policy is enforced, ../data/rfc/rfc2881.txt- network services are authorized, network usage is audited, and ../data/rfc/rfc2881.txt- resource consumption is tracked. That is, a NAS often acts as the ../data/rfc/rfc2881.txt- policy enforcement point for network AAAA (authentication, ../data/rfc/rfc2881.txt: authorization, accounting, and auditing) services. A NAS is ../data/rfc/rfc2881.txt- typically the first place in a network where security measures and ../data/rfc/rfc2881.txt- policy may be implemented. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-9.1 A Reference Model of a NAS ../data/rfc/rfc2881.txt- -- ../data/rfc/rfc2881.txt- +---------------+ | +-------------------+ ../data/rfc/rfc2881.txt- | Authentication| _/^\_ |Device Provisioning| ../data/rfc/rfc2881.txt- +---------------+ _/ \_ +-------------------+ ../data/rfc/rfc2881.txt- | Authorization | _/ \_ |Device Monitoring | ../data/rfc/rfc2881.txt- +---------------+ _/ \_ +-------------------+ ../data/rfc/rfc2881.txt: | Accounting | / The \ ../data/rfc/rfc2881.txt- +---------------+ \_ Network(s) _/ ../data/rfc/rfc2881.txt- | Auditing | \_ _/ ../data/rfc/rfc2881.txt- +---------------+ \_ _/ ../data/rfc/rfc2881.txt- \_ _/ ../data/rfc/rfc2881.txt- \_/ -- ../data/rfc/rfc2881.txt- not limited to: IP address filtering, address assignment, route ../data/rfc/rfc2881.txt- assignment, QoS/differential services, bandwidth control/traffic ../data/rfc/rfc2881.txt- management, compulsory tunneling to a specific endpoint, and ../data/rfc/rfc2881.txt- encryption. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt: Accounting - Accounting refers to the tracking of the consumption of ../data/rfc/rfc2881.txt- NAS resources by users. This information may be used for ../data/rfc/rfc2881.txt- management, planning, billing, or other purposes. Real-time ../data/rfc/rfc2881.txt: accounting refers to accounting information that is delivered ../data/rfc/rfc2881.txt- concurrently with the consumption of the resources. Batch ../data/rfc/rfc2881.txt: accounting refers to accounting information that is saved until it ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- -- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-RFC 2881 NASreq NAS Model July 2000 ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- is delivered at a later time. Typical information that is ../data/rfc/rfc2881.txt: gathered in accounting is the identity of the user, the nature of ../data/rfc/rfc2881.txt- the service delivered, when the service began, and when it ended. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Auditing - Auditing refers to the tracking of activity by users. As ../data/rfc/rfc2881.txt: opposed to accounting, where the purpose is to track consumption ../data/rfc/rfc2881.txt- of resources, the purpose of auditing is to determine the nature ../data/rfc/rfc2881.txt- of a user's network activity. Examples of auditing information ../data/rfc/rfc2881.txt- include the identity of the user, the nature of the services used, ../data/rfc/rfc2881.txt- what hosts were accessed when, what protocols were used, etc. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- AAAA Server - An AAAA Server is a server or servers that provide ../data/rfc/rfc2881.txt: authentication, authorization, accounting, and auditing services. ../data/rfc/rfc2881.txt- These may be co-located with the NAS, or more typically, are ../data/rfc/rfc2881.txt- located on a separate server and communicate with the NAS's User ../data/rfc/rfc2881.txt- Management Interface via an AAAA protocol. The four AAAA ../data/rfc/rfc2881.txt- functions may be located on a single server, or may be broken up ../data/rfc/rfc2881.txt- among multiple servers. -- ../data/rfc/rfc2881.txt- Resource management can be performed at a NAS by granting specific ../data/rfc/rfc2881.txt- types of service based on the current network state. In the case of ../data/rfc/rfc2881.txt- shared operation, NAS policy may be determined based on the policy of ../data/rfc/rfc2881.txt- multiple end systems. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt:9.3.3 Accounting and Auditing ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- Since NAS services are consumable resources, usage information must ../data/rfc/rfc2881.txt- often be collected for the purposes of soft policy management, ../data/rfc/rfc2881.txt: reporting, planning, and accounting. A dynamic, real-time view of ../data/rfc/rfc2881.txt- NAS usage is often required for network auditing purposes. Since a ../data/rfc/rfc2881.txt- NAS may be shared among multiple administrative entities, usage ../data/rfc/rfc2881.txt- information must often be delivered to multiple endpoints. ../data/rfc/rfc2881.txt: Accounting is performed using such protocols as RADIUS [2]. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-9.3.4 Resource Management ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- NAS's deliver resources to users, often in a dynamic fashion. ../data/rfc/rfc2881.txt- Examples of the types of resources doled out by NAS's are IP -- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- [1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc2881.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2881.txt- 2000. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt: [2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- [3] Calhoun, P., "Diameter Base Protocol", Work in Progress. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- [4] Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in ../data/rfc/rfc2881.txt- Progress. -- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- [9] Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege, ../data/rfc/rfc2881.txt- "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June ../data/rfc/rfc2881.txt- 2000. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt: [10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc2881.txt- Modifications for Tunnel Protocol Support", RFC 2867, June 2000. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- [11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory ../data/rfc/rfc2881.txt- Tunneling via RADIUS", RFC 2809, April 2000. ../data/rfc/rfc2881.txt- -- ../data/rfc/rfc2881.txt-RFC 2881 NASreq NAS Model July 2000 ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt-14. Appendix - Acronyms and Glossary: ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt: AAA - Authentication, Authorization, Accounting, The three primary ../data/rfc/rfc2881.txt- services required by a NAS server or protocol. ../data/rfc/rfc2881.txt- ../data/rfc/rfc2881.txt- NAS - Network Access Server, a system that provides access to a ../data/rfc/rfc2881.txt- network. In some cases also know as a RAS, Remote Access Server. ../data/rfc/rfc2881.txt- -- ../data/rfc/rfc5271.txt- ../data/rfc/rfc5271.txt-4. Network Reference Model for Mobile IPv6 over 3G CDMA Networks ../data/rfc/rfc5271.txt- ../data/rfc/rfc5271.txt- Figure 1 shows a simplified reference model of the Mobile IP enabled ../data/rfc/rfc5271.txt- 3G CDMA networks. The home agent (HA) and Authentication, ../data/rfc/rfc5271.txt: Authorization, and Accounting (AAA) server of the mobile node (MN) ../data/rfc/rfc5271.txt- reside in the home IP network, and the MN roams within or between the ../data/rfc/rfc5271.txt- access provider network(s). Usually, the home IP network is not ../data/rfc/rfc5271.txt- populated by the MNs, which are instead connected only to the access ../data/rfc/rfc5271.txt- provider networks. Prior to the Mobile IPv6 registration, the MN ../data/rfc/rfc5271.txt- establishes a 3G CDMA access technology specific link-layer -- ../data/rfc/rfc4004.txt- Copyright (C) The Internet Society (2005). ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-Abstract ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- This document specifies a Diameter application that allows a Diameter ../data/rfc/rfc4004.txt: server to authenticate, authorize and collect accounting information ../data/rfc/rfc4004.txt- for Mobile IPv4 services rendered to a mobile node. Combined with ../data/rfc/rfc4004.txt- the Inter-Realm capability of the base protocol, this application ../data/rfc/rfc4004.txt- allows mobile nodes to receive service from foreign service ../data/rfc/rfc4004.txt: providers. Diameter Accounting messages will be used by the foreign ../data/rfc/rfc4004.txt- and home agents to transfer usage information to the Diameter ../data/rfc/rfc4004.txt- servers. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-Table of Contents ../data/rfc/rfc4004.txt- -- ../data/rfc/rfc4004.txt- 9.10. MIP-FA-to-MN-SPI AVP. . . . . . . . . . . . . . . . . . .42 ../data/rfc/rfc4004.txt- 9.11. MIP-FA-to-HA-SPI AVP. . . . . . . . . . . . . . . . . . .42 ../data/rfc/rfc4004.txt- 9.12. MIP-Nonce AVP. . . . . . . . . . . . . . . . . . .. . . .42 ../data/rfc/rfc4004.txt- 9.13. MIP-MSA-Lifetime AVP . . . . . . . . . . . . . . .. . . .42 ../data/rfc/rfc4004.txt- 9.14. MIP-HA-to-FA-SPI AVP . . . . . . . . . . . . . . .. . . .43 ../data/rfc/rfc4004.txt: 10. Accounting AVPs . . . . . . . . . . . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt: 10.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-Calhoun, et al. Standards Track [Page 2] ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-RFC 4004 Diameter MIP August 2005 ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: 10.2. Accounting-Output-Octets AVP. . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt- 10.3. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt: 10.4. Accounting-Input-Packets AVP. . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt: 10.5. Accounting-Output-Packets AVP . . . . . . . . . . . . . .43 ../data/rfc/rfc4004.txt- 10.6. Event-Timestamp AVP . . . . . . . . . . . . . . . . . . .44 ../data/rfc/rfc4004.txt- 11. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . .44 ../data/rfc/rfc4004.txt- 11.1. Mobile IP Command AVP Table . . . . . . . . . . . . . . .44 ../data/rfc/rfc4004.txt: 11.2. Accounting AVP Table. . . . . . . . . . . . . . . . . . .46 ../data/rfc/rfc4004.txt- 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . .46 ../data/rfc/rfc4004.txt- 12.1. Command Codes . . . . . . . . . . . . . . . . . . . . . .46 ../data/rfc/rfc4004.txt- 12.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . .46 ../data/rfc/rfc4004.txt- 12.3. Result-Code AVP Values. . . . . . . . . . . . . . . . . .46 ../data/rfc/rfc4004.txt- 12.4. MIP-Feature-Vector AVP Values . . . . . . . . . . . . . .47 -- ../data/rfc/rfc4004.txt- authorized to attach and use resources in the foreign domain. Also, ../data/rfc/rfc4004.txt- the FA must provide information to the home administrative domain ../data/rfc/rfc4004.txt- about the resources used by the MN while it is attached in the ../data/rfc/rfc4004.txt- foreign domain. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: The Authentication, Authorization, and Accounting (AAA) requirements ../data/rfc/rfc4004.txt- for Mobile IPv4 are described in detail in other documents [MIPREQ, ../data/rfc/rfc4004.txt- CDMA2000]. This document specifies a Diameter application to meet ../data/rfc/rfc4004.txt- these requirements. This application is not applicable to the Mobile ../data/rfc/rfc4004.txt- IPv6 protocol. ../data/rfc/rfc4004.txt- -- ../data/rfc/rfc4004.txt- the MN and FA (MN-FA MSA). If available, the MN-FA MSA is used by ../data/rfc/rfc4004.txt- the FA to authenticate each Registration Request passing through it ../data/rfc/rfc4004.txt- on the way to the HA. Although not critical to the operation of the ../data/rfc/rfc4004.txt- base protocol, the MN-FA MSA is useful when the FA has to know the ../data/rfc/rfc4004.txt- authenticity of a Registration Request; e.g., when it will be ../data/rfc/rfc4004.txt: generating accounting records for a session. The MN-FA MSA may also ../data/rfc/rfc4004.txt- be useful in future work related to handoff optimization. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- Similarly, Mobile IPv4 supports an optional MSA between the FA and HA ../data/rfc/rfc4004.txt- (FA-HA MSA). The FA-HA MSA is useful for authenticating messages ../data/rfc/rfc4004.txt- between the FA and HA, such as when the HA seeks to inform the FA -- ../data/rfc/rfc4004.txt- continue the same Mobile IPv4 session by using its existing HA and ../data/rfc/rfc4004.txt- home address. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- The MN accomplishes this by sending a Mobile IPv4 Registration ../data/rfc/rfc4004.txt- Request from its new point of attachment. To enable a single set of ../data/rfc/rfc4004.txt: accounting records to be maintained for the entire session, including ../data/rfc/rfc4004.txt- handoffs, it is necessary to allow the AAAH to bind the new ../data/rfc/rfc4004.txt- registration to the pre-existing session. To enable the Mobile IPv4 ../data/rfc/rfc4004.txt- Registration Request to be routed to the same AAAH, the MN SHOULD ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- -- ../data/rfc/rfc4004.txt- defines the relationship of this application to the Diameter Base ../data/rfc/rfc4004.txt- Protocol. Section 5 defines the new command codes. Section 6 ../data/rfc/rfc4004.txt- defines the new result codes used by this application. Section 7 ../data/rfc/rfc4004.txt- defines the set of mandatory Attribute-Value-Pairs (AVPs). Section 8 ../data/rfc/rfc4004.txt- gives an overview of the key distribution capability, and Section 9 ../data/rfc/rfc4004.txt: defines the key distribution AVPs. Section 10 defines the accounting ../data/rfc/rfc4004.txt- AVPs, and section 11 contains a listing of all AVPs and their ../data/rfc/rfc4004.txt- occurrence in Diameter commands. Finally, sections 12 and 13 give ../data/rfc/rfc4004.txt- IANA and security considerations, respectively. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-2. Acronyms ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: AAAH Authentication, Authorization, and Accounting Home ../data/rfc/rfc4004.txt: AAAF Authentication, Authorization, and Accounting Foreign ../data/rfc/rfc4004.txt- AMA AA-Mobile-Node-Answer ../data/rfc/rfc4004.txt- AMR AA-Mobile-Node-Request ../data/rfc/rfc4004.txt- ASR Abort-Session-Request ../data/rfc/rfc4004.txt- AVP Attribute Value Pair ../data/rfc/rfc4004.txt- CoA Care-of-Address -- ../data/rfc/rfc4004.txt- and the mobile sends the RRQ, etc.; however, these steps were ../data/rfc/rfc4004.txt- eliminated from Figure 3 to reduce clutter. The redirect server ../data/rfc/rfc4004.txt- eliminates the AAAF and any other Diameter agents from seeing the ../data/rfc/rfc4004.txt- keys as they are transported to the FA and HA. Note that the message ../data/rfc/rfc4004.txt- flows in Figures 3 and 4 apply only to the initial authentication and ../data/rfc/rfc4004.txt: key exchange. Accounting messages would still be sent via Diameter ../data/rfc/rfc4004.txt- agents, not via the direct connection, unless network policies ../data/rfc/rfc4004.txt- dictate otherwise. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- A mobile node that supports the AAA NAI extension [AAANAI], which has ../data/rfc/rfc4004.txt- been previously authenticated and authorized, MUST always include the -- ../data/rfc/rfc4004.txt- Application-Id AVP of the Capabilities-Exchange-Request and ../data/rfc/rfc4004.txt- Capabilities-Exchange-Answer commands [DIAMBASE]. The value of two ../data/rfc/rfc4004.txt- (2) MUST be used as the Application-Id in all AMR/AMA and HAR/HAA ../data/rfc/rfc4004.txt- commands. The value of two (2) MUST be used as the Application-Id in ../data/rfc/rfc4004.txt- all ACR/ACA commands, as this application defines new, mandatory AVPs ../data/rfc/rfc4004.txt: for accounting. The value of zero (0) SHOULD be used as the ../data/rfc/rfc4004.txt- Application-Id in all STR/STA and ASR/ASA commands, as these are ../data/rfc/rfc4004.txt- defined in the Diameter base protocol and no additional mandatory ../data/rfc/rfc4004.txt- AVPs for those commands are defined in this document. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- Given the nature of Mobile IPv4, re-authentication can only be -- ../data/rfc/rfc4004.txt-Calhoun, et al. Standards Track [Page 21] ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-RFC 4004 Diameter MIP August 2005 ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: For correlation to occur, accounting records must have some ../data/rfc/rfc4004.txt- commonality across handoffs. Therefore, the home agent MUST send the ../data/rfc/rfc4004.txt- same Acct-Multi-Session-Id AVP value in all HAAs for the mobile's ../data/rfc/rfc4004.txt- session. That is, the HA generates a unique Acct-Multi-Session-Id ../data/rfc/rfc4004.txt- when receiving an HAR for a new session and returns this same value ../data/rfc/rfc4004.txt- in every HAA for the session. This Acct-Multi-Session-Id AVP will be ../data/rfc/rfc4004.txt- returned to the foreign agent by the AAAH in the AMA. Both the ../data/rfc/rfc4004.txt- foreign and home agents MUST include the Acct-Multi-Session-Id in the ../data/rfc/rfc4004.txt: accounting messages, as depicted in Figure 10. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-4.1.3. Diameter Session Termination ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- A foreign and home agent following this specification MAY expect ../data/rfc/rfc4004.txt- their respective Diameter servers to maintain session state -- ../data/rfc/rfc4004.txt- contains the Security Parameter Index the HA and FA use to refer to ../data/rfc/rfc4004.txt- the HA-FA mobility security association. The FA allocates the SPI, ../data/rfc/rfc4004.txt- and it MUST NOT have a value between zero (0) and 255, which is the ../data/rfc/rfc4004.txt- reserved namespace defined in [MOBILEIP]. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:10. Accounting AVPs ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:10.1. Accounting-Input-Octets AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, ../data/rfc/rfc4004.txt- and contains the number of octets in IP packets received from the ../data/rfc/rfc4004.txt: user. This AVP MUST be included in all Accounting-Request messages ../data/rfc/rfc4004.txt: and MAY be present in the corresponding Accounting-Answer messages as ../data/rfc/rfc4004.txt- well. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:10.2. Accounting-Output-Octets AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 ../data/rfc/rfc4004.txt- and contains the number of octets in IP packets sent to the user. ../data/rfc/rfc4004.txt: This AVP MUST be included in all Accounting-Request messages and MAY ../data/rfc/rfc4004.txt: be present in the corresponding Accounting-Answer messages as well. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-10.3. Acct-Session-Time AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- The Acct-Time AVP (AVP Code 46) is of type Unsigned32 and indicates ../data/rfc/rfc4004.txt- the length of the current session in seconds. This AVP MUST be ../data/rfc/rfc4004.txt: included in all Accounting-Request messages and MAY be present in the ../data/rfc/rfc4004.txt: corresponding Accounting-Answer messages as well. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:10.4. Accounting-Input-Packets AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and ../data/rfc/rfc4004.txt- contains the number of IP packets received from the user. This AVP ../data/rfc/rfc4004.txt: MUST be included in all Accounting-Request messages and MAY be ../data/rfc/rfc4004.txt: present in the corresponding Accounting-Answer messages as well. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:10.5. Accounting-Output-Packets AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt: The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 ../data/rfc/rfc4004.txt- and contains the number of IP packets sent to the user. This AVP ../data/rfc/rfc4004.txt: MUST be included in all Accounting-Request messages and MAY be ../data/rfc/rfc4004.txt: present in the corresponding Accounting-Answer messages as well. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- -- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-10.6. Event-Timestamp AVP ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- The Event-Timestamp (AVP Code 55) is of type Time and MAY be included ../data/rfc/rfc4004.txt: in an Accounting-Request message to record the time at which this ../data/rfc/rfc4004.txt- event occurred on the mobility agent, in seconds since January 1, ../data/rfc/rfc4004.txt- 1970, 00:00 UTC. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-11. AVP Occurrence Tables ../data/rfc/rfc4004.txt- -- ../data/rfc/rfc4004.txt-Calhoun, et al. Standards Track [Page 45] ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-RFC 4004 Diameter MIP August 2005 ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt:11.2. Accounting AVP Table ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- The table in this section is used to represent which AVPs defined in ../data/rfc/rfc4004.txt: this document are to be present in the Accounting messages, as ../data/rfc/rfc4004.txt- defined in [DIAMBASE]. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- +-------------+ ../data/rfc/rfc4004.txt- | Command-Code| ../data/rfc/rfc4004.txt- |------+------+ ../data/rfc/rfc4004.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc4004.txt- -------------------------------------|------+------+ ../data/rfc/rfc4004.txt: Accounting-Input-Octets | 1 | 0-1 | ../data/rfc/rfc4004.txt: Accounting-Input-Packets | 1 | 0-1 | ../data/rfc/rfc4004.txt: Accounting-Output-Octets | 1 | 0-1 | ../data/rfc/rfc4004.txt: Accounting-Output-Packets | 1 | 0-1 | ../data/rfc/rfc4004.txt- Acct-Multi-Session-Id | 1 | 0-1 | ../data/rfc/rfc4004.txt- Acct-Session-Time | 1 | 0-1 | ../data/rfc/rfc4004.txt- MIP-Feature-Vector | 1 | 0-1 | ../data/rfc/rfc4004.txt- MIP-Home-Agent-Address | 1 | 0-1 | ../data/rfc/rfc4004.txt- MIP-Mobile-Node-Address | 1 | 0-1 | -- ../data/rfc/rfc4004.txt- [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: ../data/rfc/rfc4004.txt- Keyed-Hashing for Message Authentication", RFC 2104, ../data/rfc/rfc4004.txt- February 1997. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- [MIPKEYS] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc4004.txt: Authorization, and Accounting (AAA) Registration Keys ../data/rfc/rfc4004.txt- for Mobile IP", RFC 3957, March 2005. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- [AAANAI] Johansson, F. and T. Johansson, "Mobile IPv4 Extension ../data/rfc/rfc4004.txt- for Carrying Network Access Identifiers", RFC 3846, ../data/rfc/rfc4004.txt- June 2004. -- ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt-14.2. Informative References ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- [MIPREQ] Glass, S., Hiller, T., Jacobs, S., and C. Perkins, ../data/rfc/rfc4004.txt- "Mobile IP Authentication, Authorization, and ../data/rfc/rfc4004.txt: Accounting Requirements", RFC 2977, October 2000. ../data/rfc/rfc4004.txt- ../data/rfc/rfc4004.txt- [CDMA2000] Hiller, T., Walsh, P., Chen, X., Munson, M., Dommety, ../data/rfc/rfc4004.txt- G., Sivalingham, S., Lim, B., McCann, P., Shiino, H., ../data/rfc/rfc4004.txt- Hirschman, B., Manning, S., Hsu, R., Koo, H., Lipford, ../data/rfc/rfc4004.txt- M., Calhoun, P., Lo, C., Jaques, E., Campbell, E., Xu, -- ../data/rfc/rfc7791.txt- The protocol defined in this document does not modify IKEv2. ../data/rfc/rfc7791.txt- Security considerations for cloning an IKE SA are mostly the same as ../data/rfc/rfc7791.txt- those for the base IKEv2 protocol described in [RFC7296]. ../data/rfc/rfc7791.txt- ../data/rfc/rfc7791.txt- Cloning an IKE SA allows an initiator to duplicate existing SAs. As ../data/rfc/rfc7791.txt: a result, it may influence any accounting or control mechanisms based ../data/rfc/rfc7791.txt- on a single IKE SA per authentication. ../data/rfc/rfc7791.txt- ../data/rfc/rfc7791.txt- Suppose a system has a limit on the number of IKE SAs it can handle. ../data/rfc/rfc7791.txt- In this case, cloning an IKE SA may provide a way for resource ../data/rfc/rfc7791.txt- exhaustion, as a single end user may populate multiple IKE SAs. -- ../data/rfc/rfc7791.txt- limit the number of cloned IKE SAs. ../data/rfc/rfc7791.txt- ../data/rfc/rfc7791.txt- Suppose the VPN or any other IPsec-based service monitoring is based ../data/rfc/rfc7791.txt- on the liveliness of the first IKE SA. Such a system considers a ../data/rfc/rfc7791.txt- service is accessed or used from the time IKE performs an ../data/rfc/rfc7791.txt: authentication to the time the IKE SA is deleted. Such accounting ../data/rfc/rfc7791.txt- methods were fine as any IKE SA required an authentication exchange. ../data/rfc/rfc7791.txt- As cloning the IKE SA skips the authentication phase, it may make it ../data/rfc/rfc7791.txt- possible to delete the initial IKE SA while the service is being used ../data/rfc/rfc7791.txt: on the cloned IKE SA. Such accounting methods should consider that ../data/rfc/rfc7791.txt- the service is being used from the first IKE SA establishment to ../data/rfc/rfc7791.txt- until the last IKE SA is removed. ../data/rfc/rfc7791.txt- ../data/rfc/rfc7791.txt- ../data/rfc/rfc7791.txt- -- ../data/rfc/rfc7789.txt- Rexford, "Customized BGP Route Selection Using BGP/MPLS ../data/rfc/rfc7789.txt- VPNs", Cisco Systems, Routing Symposium, October 2009, ../data/rfc/rfc7789.txt- <http://inl.info.ucl.ac.be/system/files/ ../data/rfc/rfc7789.txt- Cisco_NAG_2009_ns_bgp.pdf>. ../data/rfc/rfc7789.txt- ../data/rfc/rfc7789.txt: [PMACCT] "pmacct project: IP accounting iconoclasm", ../data/rfc/rfc7789.txt- <http://www.pmacct.net>. ../data/rfc/rfc7789.txt- ../data/rfc/rfc7789.txt- ../data/rfc/rfc7789.txt- ../data/rfc/rfc7789.txt- -- ../data/rfc/rfc7574.txt- 11.1.6. Configuration .....................................65 ../data/rfc/rfc7574.txt- 11.2. Management Considerations ................................66 ../data/rfc/rfc7574.txt- 11.2.1. Management Interoperability and Information .......67 ../data/rfc/rfc7574.txt- 11.2.2. Fault Management ..................................67 ../data/rfc/rfc7574.txt- 11.2.3. Configuration Management ..........................67 ../data/rfc/rfc7574.txt: 11.2.4. Accounting Management .............................68 ../data/rfc/rfc7574.txt- 11.2.5. Performance Management ............................68 ../data/rfc/rfc7574.txt- 11.2.6. Security Management ...............................68 ../data/rfc/rfc7574.txt- 12. Security Considerations .......................................68 ../data/rfc/rfc7574.txt- 12.1. Security of the Handshake Procedure ......................68 ../data/rfc/rfc7574.txt- 12.1.1. Protection against Attack 1 .......................69 -- ../data/rfc/rfc7574.txt-Bakker, et al. Standards Track [Page 67] ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt-RFC 7574 PPSPP July 2015 ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt:11.2.4. Accounting Management ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt- Content providers may offer PPSPP hosting for different customers and ../data/rfc/rfc7574.txt- will want to bill these customers, for example, based on bandwidth ../data/rfc/rfc7574.txt: usage. This situation is a common accounting scenario, similar to ../data/rfc/rfc7574.txt- billing per virtual server for web servers. PPSPP can therefore ../data/rfc/rfc7574.txt- benefit from general standardization efforts in this area [RFC2975] ../data/rfc/rfc7574.txt- when they come to fruition. ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt-11.2.5. Performance Management -- ../data/rfc/rfc7574.txt- [RFC2790] Waldbusser, S. and P. Grillo, "Host Resources MIB", RFC ../data/rfc/rfc7574.txt- 2790, DOI 10.17487/RFC2790, March 2000, ../data/rfc/rfc7574.txt- <http://www.rfc-editor.org/info/rfc2790>. ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc7574.txt: Accounting Management", RFC 2975, DOI 10.17487/RFC2975, ../data/rfc/rfc7574.txt- October 2000, <http://www.rfc-editor.org/info/rfc2975>. ../data/rfc/rfc7574.txt- ../data/rfc/rfc7574.txt- [RFC3365] Schiller, J., "Strong Security Requirements for Internet ../data/rfc/rfc7574.txt- Engineering Task Force Standard Protocols", BCP 61, RFC ../data/rfc/rfc7574.txt- 3365, DOI 10.17487/RFC3365, August 2002, -- ../data/rfc/rfc7381.txt- more providers, and is actively managed by a network operations ../data/rfc/rfc7381.txt- entity (the "administrator", whether a single person or a department ../data/rfc/rfc7381.txt- of administrators). Administrators generally support an internal ../data/rfc/rfc7381.txt- network, consisting of users' workstations; personal computers; ../data/rfc/rfc7381.txt- mobile devices; other computing devices and related peripherals; a ../data/rfc/rfc7381.txt: server network, consisting of accounting and business application ../data/rfc/rfc7381.txt- servers; and an external network, consisting of Internet-accessible ../data/rfc/rfc7381.txt- services such as web servers, email servers, VPN systems, and ../data/rfc/rfc7381.txt- customer applications. This document is intended as guidance for ../data/rfc/rfc7381.txt- enterprise network architects and administrators in planning their ../data/rfc/rfc7381.txt- IPv6 deployments. -- ../data/rfc/rfc7381.txt- may be more urgent to manage and have visibility on the internal ../data/rfc/rfc7381.txt- traffic. It is important to manage IPv6 for security purposes, ../data/rfc/rfc7381.txt- even in an ostensibly IPv4-only network, as described in ../data/rfc/rfc7381.txt- [RFC7123]. ../data/rfc/rfc7381.txt- ../data/rfc/rfc7381.txt: o In many cases, the corporate accounting, payroll, human resource, ../data/rfc/rfc7381.txt- and other internal systems may only need to be reachable from the ../data/rfc/rfc7381.txt- internal network, so they may be a lower priority. As enterprises ../data/rfc/rfc7381.txt- require their vendors to support IPv6, more internal applications ../data/rfc/rfc7381.txt- will support IPv6 by default, and it can be expected that ../data/rfc/rfc7381.txt- eventually new applications will only support IPv6. The -- ../data/rfc/rfc2679.txt- well.} ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt-3.7. Errors and Uncertainties: ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt- The description of any specific measurement method should include an ../data/rfc/rfc2679.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc2679.txt- The Framework document provides general guidance on this point, but ../data/rfc/rfc2679.txt- we note here the following specifics related to delay metrics: ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt- + Errors or uncertainties due to uncertainties in the clocks of the ../data/rfc/rfc2679.txt- Src and Dst hosts. -- ../data/rfc/rfc2679.txt- + Errors or uncertainties due to the difference between 'wire time' ../data/rfc/rfc2679.txt- and 'host time'. ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt- In addition, the loss threshold may affect the results. Each of ../data/rfc/rfc2679.txt- these are discussed in more detail below, along with a section ../data/rfc/rfc2679.txt: ("Calibration") on accounting for these errors and uncertainties. ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt-3.7.1. Errors or uncertainties related to Clocks ../data/rfc/rfc2679.txt- ../data/rfc/rfc2679.txt- The uncertainty in a measurement of one-way delay is related, in ../data/rfc/rfc2679.txt- part, to uncertainties in the clocks of the Src and Dst hosts. In -- ../data/rfc/rfc2196.txt- (2) New user accounts (the account RUMPLESTILTSKIN has been ../data/rfc/rfc2196.txt- unexpectedly created), or high activity on a previously ../data/rfc/rfc2196.txt- low usage account. ../data/rfc/rfc2196.txt- (3) New files (usually with novel or strange file names, ../data/rfc/rfc2196.txt- such as data.xx or k or .xx ). ../data/rfc/rfc2196.txt: (4) Accounting discrepancies (in a UNIX system you might ../data/rfc/rfc2196.txt: notice the shrinking of an accounting file called ../data/rfc/rfc2196.txt- /usr/admin/lastlog, something that should make you very ../data/rfc/rfc2196.txt- suspicious that there may be an intruder). ../data/rfc/rfc2196.txt- (5) Changes in file lengths or dates (a user should be ../data/rfc/rfc2196.txt- suspicious if .EXE files in an MS DOS computer have ../data/rfc/rfc2196.txt- unexplainedly grown by over 1800 bytes). -- ../data/rfc/rfc2196.txt- otherwise have intimate knowledge or access to the systems. In all ../data/rfc/rfc2196.txt- cases, the pre-incident preparation will determine what recovery is ../data/rfc/rfc2196.txt- possible. ../data/rfc/rfc2196.txt- ../data/rfc/rfc2196.txt- If the system supports centralized logging (most do), go back over ../data/rfc/rfc2196.txt: the logs and look for abnormalities. If process accounting and ../data/rfc/rfc2196.txt: connect time accounting is enabled, look for patterns of system ../data/rfc/rfc2196.txt- usage. To a lesser extent, disk usage may shed light on the ../data/rfc/rfc2196.txt: incident. Accounting can provide much helpful information in an ../data/rfc/rfc2196.txt- analysis of an incident and subsequent prosecution. Your ability to ../data/rfc/rfc2196.txt- address all aspects of a specific incident strongly depends on the ../data/rfc/rfc2196.txt- success of this analysis. ../data/rfc/rfc2196.txt- ../data/rfc/rfc2196.txt-5.4 Handling an Incident -- ../data/rfc/rfc2196.txt- ../data/rfc/rfc2196.txt- [Foster and Morrision, 1990] T. Forester, and P. Morrison, "Computer ../data/rfc/rfc2196.txt- Ethics: Tales and Ethical Dilemmas in Computing", MIT Press, ../data/rfc/rfc2196.txt- Cambridge, MA, 1990. (192 pages including index.) ../data/rfc/rfc2196.txt- ../data/rfc/rfc2196.txt: [GAO/IMTEX-89-57, 1989] U.S. General Accounting Office, "Computer ../data/rfc/rfc2196.txt- Security - Virus Highlights Need for Improved Internet Management", ../data/rfc/rfc2196.txt: United States General Accounting Office, Washington, DC, 1989. ../data/rfc/rfc2196.txt- ../data/rfc/rfc2196.txt- [Garfinkel and Spafford, 1991] S. Garfinkel, and E. Spafford, ../data/rfc/rfc2196.txt- "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2, ../data/rfc/rfc2196.txt- May 1991. ../data/rfc/rfc2196.txt- -- ../data/rfc/rfc5296.txt- ../data/rfc/rfc5296.txt- [17] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA ../data/rfc/rfc5296.txt- Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. ../data/rfc/rfc5296.txt- ../data/rfc/rfc5296.txt- [18] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5296.txt: Authorization, and Accounting (AAA) Key Management", BCP 132, ../data/rfc/rfc5296.txt- RFC 4962, July 2007. ../data/rfc/rfc5296.txt- ../data/rfc/rfc5296.txt- ../data/rfc/rfc5296.txt- ../data/rfc/rfc5296.txt- -- ../data/rfc/rfc4017.txt- Authorization ../data/rfc/rfc4017.txt- Requirement: "EAP peer and authenticator authorization must be ../data/rfc/rfc4017.txt- performed." ../data/rfc/rfc4017.txt- ../data/rfc/rfc4017.txt- Authorization issues are discussed in [RFC3748], Sections 1.2 and ../data/rfc/rfc4017.txt: 7.16. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4017.txt- protocols such as RADIUS [RFC2865][RFC3579] may be used to enable ../data/rfc/rfc4017.txt- authorization of EAP peers by a central authority. AAA ../data/rfc/rfc4017.txt- authorization issues are discussed in [RFC3579], Sections 2.6.3 ../data/rfc/rfc4017.txt- and 4.3.7. ../data/rfc/rfc4017.txt- -- ../data/rfc/rfc1030.txt- ../data/rfc/rfc1030.txt- The best possible datagram rate over the current Wideband ../data/rfc/rfc1030.txt- configuration is 24,054 bits per channel frame, or 3006 bytes every ../data/rfc/rfc1030.txt- 21.22 milliseconds. Since the transmission route begins and ends on ../data/rfc/rfc1030.txt- an Ethernet, the largest amount of data transmissible (after ../data/rfc/rfc1030.txt: accounting for packet header overhead) is 1438 bytes per packet. ../data/rfc/rfc1030.txt- This translates to approximately 2 packets per frame. Since we want ../data/rfc/rfc1030.txt- to avoid overflowing the channel, we should transmit slightly slower ../data/rfc/rfc1030.txt- than the channel frame rate of 21.2 milliseconds. We therefore came ../data/rfc/rfc1030.txt- up with a best possible throughput of 2 1438-byte packets every 22 ../data/rfc/rfc1030.txt- milliseconds, or 1.05 megabits per second. -- ../data/rfc/rfc8116.txt- can be "trusted" to behave in a non-destructive way, is naive. With ../data/rfc/rfc8116.txt- deployment in the wider Internet, and a resultant increase in user ../data/rfc/rfc8116.txt- numbers, an increase in attacks and abuses has followed necessitating ../data/rfc/rfc8116.txt- a change in recommended practices. For example, SMTP servers, which ../data/rfc/rfc8116.txt- were initially available for use by everyone on the Internet, require ../data/rfc/rfc8116.txt: authentication and accounting for users today [RFC5068]. ../data/rfc/rfc8116.txt- ../data/rfc/rfc8116.txt- As OLSRv2 is often used in wireless environments, it is potentially ../data/rfc/rfc8116.txt- exposed to different kinds of security threats, some of which are of ../data/rfc/rfc8116.txt- greater significance when compared to wired networks. As radio ../data/rfc/rfc8116.txt- signals can be received as well as transmitted by any compatible -- ../data/rfc/rfc499.txt- CAN (CANCEL) (a) On an output channel, CAN causes the rest of ../data/rfc/rfc499.txt- the output in the SYSOUT data set currently being ../data/rfc/rfc499.txt- transmitted to be omitted. Alternatively, may ../data/rfc/rfc499.txt- omit the rest of the SYSOUT data sets for the job ../data/rfc/rfc499.txt- currently being transmitted; however, the ../data/rfc/rfc499.txt: remaining system and accounting messages will be ../data/rfc/rfc499.txt- sent. ../data/rfc/rfc499.txt- ../data/rfc/rfc499.txt- (b) On an input channel, CAN causes RJS to ignore ../data/rfc/rfc499.txt- the job currently being read. However, the ../data/rfc/rfc499.txt- channel is not aborted as a result, and RJS will -- ../data/rfc/rfc6218.txt- allocated from the Cisco vendor space, that can be used to securely ../data/rfc/rfc6218.txt- transfer cryptographic keying material using standard techniques with ../data/rfc/rfc6218.txt- well-understood security properties. In addition, the Message- ../data/rfc/rfc6218.txt- Authentication-Code Attribute may be used to provide strong ../data/rfc/rfc6218.txt- authentication for any RADIUS message, including those used for ../data/rfc/rfc6218.txt: accounting and dynamic authorization. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- These attributes were designed to provide stronger protection and ../data/rfc/rfc6218.txt- more flexibility than the currently defined Vendor-Specific ../data/rfc/rfc6218.txt- MS-MPPE-Send-Key and MS-MPPE-Recv-Key Attributes in [RFC2548] and the ../data/rfc/rfc6218.txt- Message-Authenticator Attribute in [RFC3579]. -- ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- successful authentication process. The keying material is of a form ../data/rfc/rfc6218.txt- that may be used in virtually any cryptographic algorithm after ../data/rfc/rfc6218.txt- appropriate processing. These attributes may also be used in other ../data/rfc/rfc6218.txt: cases where an Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6218.txt- server needs to deliver keying material to a network access point. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- Discussion of this document may be directed to the authors. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt-2. Specification of Requirements -- ../data/rfc/rfc6218.txt- differences are detailed below, with the free variable HASH-ALG ../data/rfc/rfc6218.txt- representing the actual algorithm used. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- Request Messages ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt: For requests (e.g., CoA-Request [RFC5176], Accounting- ../data/rfc/rfc6218.txt- Request [RFC2866], etc.), the value of the MAC field is a ../data/rfc/rfc6218.txt- hash of the entire packet except the Request Authenticator ../data/rfc/rfc6218.txt- in the header of the RADIUS packet, using a shared secret as ../data/rfc/rfc6218.txt- the key, as follows. ../data/rfc/rfc6218.txt- -- ../data/rfc/rfc6218.txt- secret) to be used exclusively in the generation of the ../data/rfc/rfc6218.txt- Message-Authentication-Code. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- Response Messages ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt: For responses (e.g., CoA-ACK [RFC5176], Accounting-Response ../data/rfc/rfc6218.txt- [RFC2866], etc.), the value of the MAC field is a hash of ../data/rfc/rfc6218.txt- the entire packet except the Response Authenticator in the ../data/rfc/rfc6218.txt- header of the RADIUS packet using a shared secret as the ../data/rfc/rfc6218.txt- key, as follows. ../data/rfc/rfc6218.txt- -- ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6218.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc6218.txt- RFC 2865, June 2000. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6218.txt- ../data/rfc/rfc6218.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, ../data/rfc/rfc6218.txt- M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol ../data/rfc/rfc6218.txt- Support", RFC 2868, June 2000. ../data/rfc/rfc6218.txt- -- ../data/rfc/rfc8577.txt- neighbor on the RSVP-TE tunnel. ../data/rfc/rfc8577.txt- ../data/rfc/rfc8577.txt- Multiple TE link labels MAY be allocated for the TE link to ../data/rfc/rfc8577.txt- accommodate tunnels requesting protection. ../data/rfc/rfc8577.txt- ../data/rfc/rfc8577.txt: Implementations that maintain per-label bandwidth accounting at each ../data/rfc/rfc8577.txt- hop must aggregate the reservations made for all the LSPs using the ../data/rfc/rfc8577.txt- shared TE link label. ../data/rfc/rfc8577.txt- ../data/rfc/rfc8577.txt-4. Segment Routed RSVP-TE Tunnel Setup ../data/rfc/rfc8577.txt- -- ../data/rfc/rfc3575.txt- Attributes). This document creates no new IANA registries, since a ../data/rfc/rfc3575.txt- RADIUS registry was created by [RFC2865]. ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt- RADIUS is not intended as a general-purpose protocol, and allocations ../data/rfc/rfc3575.txt- SHOULD NOT be made for purposes unrelated to Authentication, ../data/rfc/rfc3575.txt: Authorization or Accounting. ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt-2.1. Recommended Registration Policies ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt- For registration requests where a Designated Expert should be ../data/rfc/rfc3575.txt- consulted, the responsible IESG area director should appoint the -- ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt- [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and ../data/rfc/rfc3575.txt- Policy Implementation in Roaming", RFC 2607, June ../data/rfc/rfc3575.txt- 1999. ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt: [RFC2867] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc3575.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc3575.txt- June 2000. ../data/rfc/rfc3575.txt- ../data/rfc/rfc3575.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc3575.txt- Holdrege, M. and I. Goyret, "RADIUS Attributes for -- ../data/rfc/rfc3575.txt- # Message Reference ../data/rfc/rfc3575.txt- ---- ------------------------- --------- ../data/rfc/rfc3575.txt- 1 Access-Request [RFC2865] ../data/rfc/rfc3575.txt- 2 Access-Accept [RFC2865] ../data/rfc/rfc3575.txt- 3 Access-Reject [RFC2865] ../data/rfc/rfc3575.txt: 4 Accounting-Request [RFC2865] ../data/rfc/rfc3575.txt: 5 Accounting-Response [RFC2865] ../data/rfc/rfc3575.txt: 6 Accounting-Status [RFC2882] ../data/rfc/rfc3575.txt: (now Interim Accounting) ../data/rfc/rfc3575.txt- 7 Password-Request [RFC2882] ../data/rfc/rfc3575.txt- 8 Password-Ack [RFC2882] ../data/rfc/rfc3575.txt- 9 Password-Reject [RFC2882] ../data/rfc/rfc3575.txt: 10 Accounting-Message [RFC2882] ../data/rfc/rfc3575.txt- 11 Access-Challenge [RFC2865] ../data/rfc/rfc3575.txt- 12 Status-Server (experimental) [RFC2865] ../data/rfc/rfc3575.txt- 13 Status-Client (experimental) [RFC2865] ../data/rfc/rfc3575.txt- 21 Resource-Free-Request [RFC2882] ../data/rfc/rfc3575.txt- 22 Resource-Free-Response [RFC2882] -- ../data/rfc/rfc1987.txt- record is used to request and return activity information concerning ../data/rfc/rfc1987.txt- a single virtual connection. Each VC is specified by its input port, ../data/rfc/rfc1987.txt- input VPI, and input VCI. These are specified in the Input Port, ../data/rfc/rfc1987.txt- Input VPI, and Input VCI fields of each VC Activity record. Two ../data/rfc/rfc1987.txt- forms of activity detection are supported. If the switch supports per ../data/rfc/rfc1987.txt: VC traffic accounting the current value of the traffic counter for ../data/rfc/rfc1987.txt- each specified VC must be returned. The units of traffic counted are ../data/rfc/rfc1987.txt- not specified but will typically be either cells or frames. The ../data/rfc/rfc1987.txt- controller must compare the traffic counts returned in the message ../data/rfc/rfc1987.txt- with previous values for each of the specified VCs to determine ../data/rfc/rfc1987.txt- whether each VC has been active in the intervening period. If the ../data/rfc/rfc1987.txt: switch does not support per VC traffic accounting, but is capable of ../data/rfc/rfc1987.txt- detecting per-VC activity by some other unspecified means, the result ../data/rfc/rfc1987.txt- ../data/rfc/rfc1987.txt- ../data/rfc/rfc1987.txt- ../data/rfc/rfc1987.txt-Newman, et. al. Informational [Page 20] -- ../data/rfc/rfc7680.txt- more detail elsewhere; we encourage others to do so as well.} ../data/rfc/rfc7680.txt- ../data/rfc/rfc7680.txt-2.7. Errors and Uncertainties ../data/rfc/rfc7680.txt- ../data/rfc/rfc7680.txt- The description of any specific measurement method should include an ../data/rfc/rfc7680.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc7680.txt- The Framework document provides general guidance on this point. ../data/rfc/rfc7680.txt- ../data/rfc/rfc7680.txt- For loss, there are three sources of error: ../data/rfc/rfc7680.txt- ../data/rfc/rfc7680.txt- o synchronization between clocks on Src and Dst. -- ../data/rfc/rfc8466.txt- ../data/rfc/rfc8466.txt- A typical usage for this model is as an input to an orchestration ../data/rfc/rfc8466.txt- layer that is responsible for translating it into configuration ../data/rfc/rfc8466.txt- commands for the network elements that deliver/enable the service. ../data/rfc/rfc8466.txt- The network elements may be routers, but also servers (like ../data/rfc/rfc8466.txt: Authentication, Authorization, and Accounting (AAA)) that are ../data/rfc/rfc8466.txt- necessary within the network. ../data/rfc/rfc8466.txt- ../data/rfc/rfc8466.txt- The configuration of network elements may be done using the Command ../data/rfc/rfc8466.txt- Line Interface (CLI) or any other configuration (or "southbound") ../data/rfc/rfc8466.txt- interface such as NETCONF [RFC6241] in combination with device- -- ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- Additionally, the following acronyms are used in this document: ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- CLAS: Cooperating Layered Architecture for SDN ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt: FCAPS: Fault, Configuration, Accounting, Performance, and Security ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- SDN: Software-Defined Networking ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- SLA: Service Level Agreement ../data/rfc/rfc8597.txt- -- ../data/rfc/rfc8597.txt- certain path. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- o Orchestration: the ability to combine diverse resources (e.g., IT ../data/rfc/rfc8597.txt- and network resources) in an optimal way. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt: o Accounting: record of resource usage. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt- o Security: secure communication among components, preventing, for ../data/rfc/rfc8597.txt- example, DoS attacks. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt-5. Communication between SDN Controllers -- ../data/rfc/rfc8597.txt- o Security: As reflected before, the communication between strata ../data/rfc/rfc8597.txt- must be secure to prevent attacks and threats. Additionally, ../data/rfc/rfc8597.txt- privacy should be enforced, especially when addressing multi- ../data/rfc/rfc8597.txt- provider scenarios at the transport level. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt: o Accounting: The control and accountancy of resources used and ../data/rfc/rfc8597.txt- consumed by services should be supported in the communication ../data/rfc/rfc8597.txt- among strata. ../data/rfc/rfc8597.txt- ../data/rfc/rfc8597.txt-9. IANA Considerations ../data/rfc/rfc8597.txt- -- ../data/rfc/rfc2705.txt- Call identifiers are expected to be unique within the system, or at a ../data/rfc/rfc2705.txt- minimum, unique within the collection of Call Agents that control the ../data/rfc/rfc2705.txt- same gateways. When a Call Agent builds several connections that ../data/rfc/rfc2705.txt- pertain to the same call, either on the same gateway or in different ../data/rfc/rfc2705.txt- gateways, these connections that belong to the same call share the ../data/rfc/rfc2705.txt: same call-id. This identifier can then be used by accounting or ../data/rfc/rfc2705.txt- management procedures, which are outside the scope of MGCP. ../data/rfc/rfc2705.txt- ../data/rfc/rfc2705.txt-2.1.3.2. Names of connections ../data/rfc/rfc2705.txt- ../data/rfc/rfc2705.txt- Connection identifiers are created by the gateway when it is -- ../data/rfc/rfc2705.txt- "view" of a connection. ../data/rfc/rfc2705.txt- ../data/rfc/rfc2705.txt- CallId is a globally unique parameter that identifies the call (or ../data/rfc/rfc2705.txt- session) to which this connection belongs. Connections that belong to ../data/rfc/rfc2705.txt- the same call share the same call-id. The call-id can be used to ../data/rfc/rfc2705.txt: identify calls for reporting and accounting purposes. It does not ../data/rfc/rfc2705.txt- affect the handling of connections by the gateway. ../data/rfc/rfc2705.txt- ../data/rfc/rfc2705.txt- EndpointId is the identifier for the connection endpoint in the ../data/rfc/rfc2705.txt- gateway where CreateConnection executes. The EndpointId can be ../data/rfc/rfc2705.txt- fully-specified by assigning a value to the parameter EndpointId in -- ../data/rfc/rfc6271.txt- of scope of this document. They include information about SIP ../data/rfc/rfc6271.txt- protocol support (e.g., SIP extensions and field conventions), media ../data/rfc/rfc6271.txt- (e.g., type of media traffic to be exchanged, compatible media codecs ../data/rfc/rfc6271.txt- and transport protocols, mechanisms to ensure differentiated quality ../data/rfc/rfc6271.txt- of service for media), Layer 3 IP connectivity between the signaling ../data/rfc/rfc6271.txt: and data path border elements, and accounting and traffic capacity ../data/rfc/rfc6271.txt- control (e.g., the maximum number of SIP sessions at each ingress ../data/rfc/rfc6271.txt- point, or the maximum number of concurrent IM or VoIP sessions). ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- The informative Appendix A lists parameters that may be considered ../data/rfc/rfc6271.txt- when discussing the technical parameters of SIP session peering. The -- ../data/rfc/rfc6271.txt- [RFC3611] Friedman, T., Caceres, R., and A. Clark, "RTP Control ../data/rfc/rfc6271.txt- Protocol Extended Reports (RTCP XR)", RFC 3611, ../data/rfc/rfc6271.txt- November 2003. ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- [RFC3702] Loughney, J. and G. Camarillo, "Authentication, ../data/rfc/rfc6271.txt: Authorization, and Accounting Requirements for the ../data/rfc/rfc6271.txt- Session Initiation Protocol (SIP)", RFC 3702, ../data/rfc/rfc6271.txt- February 2004. ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., ../data/rfc/rfc6271.txt- and K. Norrman, "The Secure Real-time Transport -- ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- Various types of policy information may need to be discovered or ../data/rfc/rfc6271.txt- exchanged in order to establish session peering. At a minimum, a ../data/rfc/rfc6271.txt- policy should specify information related to session establishment ../data/rfc/rfc6271.txt- data in order to avoid session establishment failures. A policy may ../data/rfc/rfc6271.txt: also include information related to QoS, billing and accounting, and ../data/rfc/rfc6271.txt- Layer 3 related interconnect requirements, which are out of the scope ../data/rfc/rfc6271.txt- of this document. ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- Some aspects of session peering policies must be agreed to and ../data/rfc/rfc6271.txt- manually implemented; they are static and are typically documented as -- ../data/rfc/rfc6271.txt-Mule Informational [Page 20] ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt-RFC 6271 SIP Session Peering Requirements June 2011 ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt: o Accounting: ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt: Methods used for call or session accounting should be specified. ../data/rfc/rfc6271.txt- An SSP may require a peer to track session usage. It is critical ../data/rfc/rfc6271.txt- for peers to determine whether the support of any SIP extensions ../data/rfc/rfc6271.txt: for accounting is a pre-requisite for SIP interoperability. In ../data/rfc/rfc6271.txt: some cases, call accounting may feed data for billing purposes, ../data/rfc/rfc6271.txt: but not always: some operators may decide to use accounting as a ../data/rfc/rfc6271.txt- 'bill and keep' model to track session usage and monitor usage ../data/rfc/rfc6271.txt- against service level agreements. ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- [RFC3702] defines the terminology and basic requirements for ../data/rfc/rfc6271.txt: accounting of SIP sessions. A few private SIP extensions have ../data/rfc/rfc6271.txt- also been defined and used over the years to enable call ../data/rfc/rfc6271.txt: accounting between SSP domains such as the P-Charging* headers in ../data/rfc/rfc6271.txt- [RFC3455], the P-DCS-Billing-Info header in [RFC5503], etc. ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- o Performance Metrics: ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- Layer 5 performance metrics should be defined and shared between -- ../data/rfc/rfc6271.txt- * headers and header values ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- * possibly, list of SIP RFCs supported by groups (e.g., by call ../data/rfc/rfc6271.txt- feature) ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt: o Accounting ../data/rfc/rfc6271.txt- ../data/rfc/rfc6271.txt- o Capacity Control and Performance Management: any limits on, or, ../data/rfc/rfc6271.txt- means to measure and limit the maximum number of active calls to a ../data/rfc/rfc6271.txt- peer or federation, maximum number of sessions and messages per ../data/rfc/rfc6271.txt- specified unit time, maximum number of active users or subscribers -- ../data/rfc/rfc755.txt- 1 1 Reserved ../data/rfc/rfc755.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc755.txt- 72-151 110-227 Reserved ../data/rfc/rfc755.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc755.txt- 153 231 TIP Status Reporting ../data/rfc/rfc755.txt: 154 232 TIP Accounting ../data/rfc/rfc755.txt- 155-158 233-236 Internet Protocol [35,36,42,43,44] ../data/rfc/rfc755.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc755.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc755.txt- 196-255 304-377 Experimental Protocols ../data/rfc/rfc755.txt- 224-255 340-377 NVP [1,39] -- ../data/rfc/rfc3570.txt- 2.2. Brokering Content Network................................3 ../data/rfc/rfc3570.txt- 2.3. Local Request-Routing Content Network....................4 ../data/rfc/rfc3570.txt- 3. Content Internetworking Arrangements...........................5 ../data/rfc/rfc3570.txt- 4. Content Internetworking Scenarios..............................5 ../data/rfc/rfc3570.txt- 4.1. General Content Internetworking..........................6 ../data/rfc/rfc3570.txt: 4.2. BCN providing ACCOUNTING INTERNETWORKING and ../data/rfc/rfc3570.txt- REQUEST-ROUTING INTERNETWORKING..........................9 ../data/rfc/rfc3570.txt: 4.3. BCN providing ACCOUNTING INTERNETWORKING................11 ../data/rfc/rfc3570.txt- 4.4. PCN ENLISTS multiple CNs................................12 ../data/rfc/rfc3570.txt- 4.5. Multiple CNs ENLIST LCN.................................13 ../data/rfc/rfc3570.txt- 5. Security Considerations.......................................15 ../data/rfc/rfc3570.txt- 5.1. Threats to Content Internetworking......................15 ../data/rfc/rfc3570.txt- 5.1.1. Threats to the CLIENT.............................15 -- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-2. Special Cases of Content Networks ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: A CN may have REQUEST-ROUTING, DISTRIBUTION, and ACCOUNTING ../data/rfc/rfc3570.txt- interfaces. However, some participating networks may gravitate ../data/rfc/rfc3570.txt- toward particular subsets of the CONTENT INTERNETWORKING interfaces. ../data/rfc/rfc3570.txt- Others may be seen differently in terms of how they relate to their ../data/rfc/rfc3570.txt- CLIENT bases. This section describes these refined cases of the ../data/rfc/rfc3570.txt- general CN case so they may be available for easier reference in the -- ../data/rfc/rfc3570.txt- ENLISTED CNs. Second, it implies that the PCN need only participate ../data/rfc/rfc3570.txt- in a subset of CONTENT INTERNETWORKING. For example, a PCN's ../data/rfc/rfc3570.txt- DISTRIBUTION INTERNETWORKING SYSTEM need only be able to receive ../data/rfc/rfc3570.txt- DISTRIBUTION ADVERTISEMENTS, it need not send them. Similarly, a ../data/rfc/rfc3570.txt- PCN's REQUEST-ROUTING INTERNETWORKING SYSTEM has no reason to send ../data/rfc/rfc3570.txt: AREA ADVERTISEMENTS. Finally, a PCN's ACCOUNTING INTERNETWORKING ../data/rfc/rfc3570.txt: SYSTEM need only be able to receive ACCOUNTING data, it need not send ../data/rfc/rfc3570.txt- it. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-2.2. Brokering Content Network ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- A Brokering Content Network (BCN) is a network that does not operate -- ../data/rfc/rfc3570.txt-Rzewski, et al. Informational [Page 3] ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: ACCOUNTING INTERNETWORKING in order to aggregate utilization data ../data/rfc/rfc3570.txt- from several CNs into combined reports for CNs that represent ../data/rfc/rfc3570.txt- PUBLISHERS. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- This definition of a BCN implies that a BCN's CIGs would implement ../data/rfc/rfc3570.txt- the sending and/or receiving of any combination of ADVERTISEMENTS and ../data/rfc/rfc3570.txt: ACCOUNTING data as is necessary to provide desired services to other ../data/rfc/rfc3570.txt- CONTENT NETWORKS. For example, if a BCN is only interested in ../data/rfc/rfc3570.txt: aggregating ACCOUNTING data on behalf of other CNs, it would only ../data/rfc/rfc3570.txt: need to have an ACCOUNTING INTERNETWORKING interface on its CIGs. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-2.3. Local Request-Routing Content Network ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- Another type of CN is the Local Request-Routing CONTENT NETWORK ../data/rfc/rfc3570.txt- (LCN). An LCN is defined as a type of network where CLIENTS' CONTENT -- ../data/rfc/rfc3570.txt- particular item of CONTENT. By directing CONTENT REQUESTS through ../data/rfc/rfc3570.txt- the local SERVER, CONTENT RESPONSES may be given to CLIENTS without ../data/rfc/rfc3570.txt- first referring to the AUTHORITATIVE REQUEST-ROUTING SYSTEM. Knowing ../data/rfc/rfc3570.txt- this to be true, other CNs may seek a NEGOTIATED RELATIONSHIP with an ../data/rfc/rfc3570.txt- LCN in order to perform DISTRIBUTION into the LCN and receive ../data/rfc/rfc3570.txt: ACCOUNTING data from it. Note that once SERVERS participate in ../data/rfc/rfc3570.txt: DISTRIBUTION INTERNETWORKING and ACCOUNTING INTERNETWORKING, they ../data/rfc/rfc3570.txt- effectively take on the role of SURROGATES. However, an LCN would ../data/rfc/rfc3570.txt- not intend to allow its SURROGATES to be accessed by non-local ../data/rfc/rfc3570.txt- CLIENTS. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- This set of assumptions implies multiple things about the LCN's ../data/rfc/rfc3570.txt- CONTENT INTERNETWORKING relationships. First, it is implied that the ../data/rfc/rfc3570.txt- LCN's DISTRIBUTION INTERNETWORKING SYSTEM need only be able to send ../data/rfc/rfc3570.txt- DISTRIBUTION ADVERTISEMENTS, it need not receive them. Second, it is ../data/rfc/rfc3570.txt: implied that an LCN's ACCOUNTING INTERNETWORKING SYSTEM need only be ../data/rfc/rfc3570.txt: able to send ACCOUNTING data, it need not receive it. Finally, due ../data/rfc/rfc3570.txt- to the locally defined REQUEST-ROUTING, the LCN would not participate ../data/rfc/rfc3570.txt- in REQUEST-ROUTING INTERNETWORKING. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- technical terms (such as SLAs). ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- In the event that the controlling interests of two CNs no longer wish ../data/rfc/rfc3570.txt- to have their networks interconnected, it is expected that these ../data/rfc/rfc3570.txt- tasks would be undone. That is, the protocol configurations would be ../data/rfc/rfc3570.txt: changed to cease the movement of ADVERTISEMENTS and/or ACCOUNTING ../data/rfc/rfc3570.txt- data between the networks, and the NEGOTIATED RELATIONSHIP would be ../data/rfc/rfc3570.txt- legally terminated. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-4. Content Internetworking Scenarios ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- This scenario considers the general case where two or more existing ../data/rfc/rfc3570.txt- CNs wish to establish a CONTENT INTERNETWORKING relationship in order ../data/rfc/rfc3570.txt- to provide increased scale and reach for their existing customers. ../data/rfc/rfc3570.txt- It assumes that all of these CNs already provide REQUEST-ROUTING, ../data/rfc/rfc3570.txt: DISTRIBUTION, and ACCOUNTING services and that they will continue to ../data/rfc/rfc3570.txt- provide these services to existing customers as well as offering them ../data/rfc/rfc3570.txt- to other CNs. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- In this scenario, these CNs would interconnect with others via a CIG ../data/rfc/rfc3570.txt- that provides a REQUEST-ROUTING INTERNETWORKING SYSTEM, a ../data/rfc/rfc3570.txt: DISTRIBUTION INTERNETWORKING SYSTEM, and an ACCOUNTING ../data/rfc/rfc3570.txt- INTERNETWORKING SYSTEM. The net result of this interconnection would ../data/rfc/rfc3570.txt- be that a larger set of SURROGATES will now be available to the ../data/rfc/rfc3570.txt- CLIENTS. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- Figure 1 shows three CNs which have interconnected to provide greater ../data/rfc/rfc3570.txt- scale and reach to their existing customers. They are all ../data/rfc/rfc3570.txt- participating in DISTRIBUTION INTERNETWORKING, REQUEST-ROUTING ../data/rfc/rfc3570.txt: INTERNETWORKING, and ACCOUNTING INTERNETWORKING. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- As a result of the NEGOTIATED RELATIONSHIPS it is assumed that: ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- 1. CONTENT that has been INJECTED into any one of these ORIGINATING ../data/rfc/rfc3570.txt- CNs may be distributed into any other ENLISTED CN. -- ../data/rfc/rfc3570.txt- within the ORIGINATING CN, or may also be issued within the ../data/rfc/rfc3570.txt- ENLISTED CN. The latter case allows local decisions to be made ../data/rfc/rfc3570.txt- about DISTRIBUTION within the ENLISTED CN, but such commands would ../data/rfc/rfc3570.txt- not control DISTRIBUTION within the ORIGINATING CN. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: 3. ACCOUNTING information regarding CLIENT access and/or DISTRIBUTION ../data/rfc/rfc3570.txt- actions will be made available to the ORIGINATING CN by the ../data/rfc/rfc3570.txt- ENLISTED CN. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt-Rzewski, et al. Informational [Page 6] ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: 4. The ORIGINATING CN would provide this ACCOUNTING information to ../data/rfc/rfc3570.txt- the PUBLISHER based on existing Service Level Agreements (SLAs). ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- 5. CONTENT REQUESTS by CLIENTS may be directed to SURROGATES within ../data/rfc/rfc3570.txt- any of the ENLISTED CNs. ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- |..............| +---------+ +---------+ |..............+ ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | ../data/rfc/rfc3570.txt- |..............| | CONTENT | | CONTENT | |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| | GATEWAY | | GATEWAY | |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| |<=>| |<=>| ACCOUNTING | ../data/rfc/rfc3570.txt- +--------------+ +---------+ +---------+ +--------------+ ../data/rfc/rfc3570.txt- | ^ \^ \ \ ^/ ^/ ^/ | ^ ../data/rfc/rfc3570.txt- v | \\ \\ \\ // // // v | ../data/rfc/rfc3570.txt- +--------------+ \\ \\ \\ // // // +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | \\ v\ v\ /v /v // | SURROGATES | -- ../data/rfc/rfc3570.txt- | | |..............| | | ../data/rfc/rfc3570.txt- | | | REQ-ROUTING | | | ../data/rfc/rfc3570.txt- | | |..............| | | ../data/rfc/rfc3570.txt- \ \ | DISTRIBUTION | / / ../data/rfc/rfc3570.txt- \ \ |..............| / / ../data/rfc/rfc3570.txt: \ \ | ACCOUNTING | / / ../data/rfc/rfc3570.txt- \ \ |--------------| / / ../data/rfc/rfc3570.txt- \ \ | ^ / / ../data/rfc/rfc3570.txt- \ \ v | / / ../data/rfc/rfc3570.txt- \ \ +--------------+ / / ../data/rfc/rfc3570.txt- \ \ | SURROGATES | / / -- ../data/rfc/rfc3570.txt-Rzewski, et al. Informational [Page 8] ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt:4.2. BCN providing ACCOUNTING INTERNETWORKING and REQUEST-ROUTING ../data/rfc/rfc3570.txt- INTERNETWORKING ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- This scenario describes the case where a single entity (BCN A) ../data/rfc/rfc3570.txt: performs ACCOUNTING INTERNETWORKING and REQUEST-ROUTING ../data/rfc/rfc3570.txt- INTERNETWORKING functions, but has no inherent DISTRIBUTION or ../data/rfc/rfc3570.txt- DELIVERY capabilities. A potential configuration which illustrates ../data/rfc/rfc3570.txt- this concept is given in Figure 2. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- In the scenario shown in Figure 2, BCN A is responsible for ../data/rfc/rfc3570.txt: collecting ACCOUNTING information from multiple CONTENT NETWORKS (CN ../data/rfc/rfc3570.txt- A and CN B) to provide a clearinghouse/settlement function, as well ../data/rfc/rfc3570.txt- as providing a REQUEST-ROUTING service for CN A and CN B. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- In this scenario, CONTENT is injected into either CN A or CN B and ../data/rfc/rfc3570.txt- its DISTRIBUTION between these CNs is controlled via the DISTRIBUTION ../data/rfc/rfc3570.txt- INTERNETWORKING SYSTEMS within the CIGs. The REQUEST-ROUTING SYSTEM ../data/rfc/rfc3570.txt- provided by BCN A is informed of the ability to serve a piece of ../data/rfc/rfc3570.txt- CONTENT from a particular CONTENT NETWORK by the REQUEST-ROUTING ../data/rfc/rfc3570.txt- SYSTEMS within the interconnected CIGs. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: BCN A collects statistics and usage information via the ACCOUNTING ../data/rfc/rfc3570.txt- INTERNETWORKING SYSTEM and disseminates that information to CN A and ../data/rfc/rfc3570.txt- CN B as appropriate. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- As illustrated in Figure 2, there are separate REQUEST-ROUTING ../data/rfc/rfc3570.txt- SYSTEMS employed within CN A and CN B. If the REQUEST-ROUTING SYSTEM -- ../data/rfc/rfc3570.txt-Rzewski, et al. Informational [Page 9] ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: Figure 2 - BCN providing ACCOUNTING INTERNETWORKING and ../data/rfc/rfc3570.txt- REQUEST-ROUTING INTERNETWORKING ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- +--------------+ ../data/rfc/rfc3570.txt- | BCN A | ../data/rfc/rfc3570.txt- |..............| +-----------+ ../data/rfc/rfc3570.txt- | REQ-ROUTING |<===>| | ../data/rfc/rfc3570.txt- |..............| | CONTENT | ../data/rfc/rfc3570.txt: | ACCOUNTING |<===>| INTWRKING | ../data/rfc/rfc3570.txt- +--------------+ | GATEWAY | ../data/rfc/rfc3570.txt- | | ../data/rfc/rfc3570.txt- +-----------+ ../data/rfc/rfc3570.txt- ^| ^| ^| ^| ../data/rfc/rfc3570.txt- +--------------+ // // \\ \\ +--------------+ -- ../data/rfc/rfc3570.txt- |..............| +---------+ +---------+ |..............| ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| | | |<=>| REQ-ROUTING | ../data/rfc/rfc3570.txt- |..............| | CONTENT | | CONTENT | |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| | GATEWAY | | GATEWAY | |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | ../data/rfc/rfc3570.txt- +--------------+ +---------+ +---------+ +--------------+ ../data/rfc/rfc3570.txt- | ^ | ^ ../data/rfc/rfc3570.txt- v | v | ../data/rfc/rfc3570.txt- +--------------+ +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | | SURROGATES | -- ../data/rfc/rfc3570.txt-Rzewski, et al. Informational [Page 10] ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt:4.3. BCN providing ACCOUNTING INTERNETWORKING ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- This scenario describes the case where a single entity (BCN A) ../data/rfc/rfc3570.txt: performs ACCOUNTING INTERNETWORKING to provide a clearinghouse/ ../data/rfc/rfc3570.txt- settlement function only. In this scenario, BCN A would enter into ../data/rfc/rfc3570.txt- NEGOTIATED RELATIONSHIPS with multiple CNs that each perform their ../data/rfc/rfc3570.txt- own DISTRIBUTION INTERNETOWRKING and REQUEST-ROUTING INTERNETWORKING ../data/rfc/rfc3570.txt- as shown in FIGURE 3. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: Figure 3 - BCN providing ACCOUNTING INTERNETWORKING ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- +--------------+ ../data/rfc/rfc3570.txt- | BCN A | ../data/rfc/rfc3570.txt- |..............| +-----------+ ../data/rfc/rfc3570.txt: | ACCOUNTING |<===>| | ../data/rfc/rfc3570.txt- +--------------+ | CONTENT | ../data/rfc/rfc3570.txt- | INTWRKING | ../data/rfc/rfc3570.txt- | GATEWAY | ../data/rfc/rfc3570.txt- | | ../data/rfc/rfc3570.txt- +-----------+ -- ../data/rfc/rfc3570.txt- |..............| +---------+ +---------+ |..............| ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | ../data/rfc/rfc3570.txt- |..............| | CONTENT | | CONTENT | |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| | GATEWAY | | GATEWAY | |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | ../data/rfc/rfc3570.txt- +--------------+ +---------+ +---------+ +--------------+ ../data/rfc/rfc3570.txt- | ^ | ^ ../data/rfc/rfc3570.txt- v | v | ../data/rfc/rfc3570.txt- +--------------+ +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | | SURROGATES | -- ../data/rfc/rfc3570.txt- In the previously enumerated scenarios, PUBLISHERS have not been ../data/rfc/rfc3570.txt- discussed. Much of the time, it is assumed that the PUBLISHERS will ../data/rfc/rfc3570.txt- allow CNs to act on their behalf. For example, a PUBLISHER may ../data/rfc/rfc3570.txt- designate a particular CN to be the AUTHORITATIVE REQUEST-ROUTING ../data/rfc/rfc3570.txt- SYSTEM for its CONTENT. Similarly, a PUBLISHER may rely on a ../data/rfc/rfc3570.txt: particular CN to aggregate all its ACCOUNTING data, even though that ../data/rfc/rfc3570.txt- data may originate at SURROGATES in multiple distant CNs. Finally, a ../data/rfc/rfc3570.txt- PUBLISHER may INJECT content only into a single CN and rely on that ../data/rfc/rfc3570.txt- CN to ENLIST other CNs to obtain scale and reach. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- However, a PUBLISHER may wish to maintain more control and take on ../data/rfc/rfc3570.txt- the task of ENLISTING CNs itself, therefore acting as a PCN (Section ../data/rfc/rfc3570.txt- 2.1). This scenario, shown in Figure 4, describes the case where a ../data/rfc/rfc3570.txt- PCN wishes to directly enter into NEGOTIATED RELATIONSHIPS with ../data/rfc/rfc3570.txt- multiple CNs. In this scenario, the PCN would operate its own CIG ../data/rfc/rfc3570.txt: and enter into DISTRIBUTION INTERNETWORKING, ACCOUNTING ../data/rfc/rfc3570.txt- INTERNETWORKING, and REQUEST-ROUTING INTERNETWORKING relationships ../data/rfc/rfc3570.txt- with two or more CNs. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- |..............| +-----------+ ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| |<---\ ../data/rfc/rfc3570.txt- |..............| | CONTENT |----\\ ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>| INTWRKING | \\ ../data/rfc/rfc3570.txt- |..............| | GATEWAY |--\ \\ ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| |<-\\ \\ ../data/rfc/rfc3570.txt- +--------------+ +-----------+ \\ \\ ../data/rfc/rfc3570.txt- ^| ^| ^| ^| \\ || ../data/rfc/rfc3570.txt- +--------------+ || || || \\ || || +--------------+ ../data/rfc/rfc3570.txt- | CN A | |v |v |v \v |v |v | CN B | ../data/rfc/rfc3570.txt- |..............| +---------+ +---------+ |..............| ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| | | |<=>| REQ-ROUTING | ../data/rfc/rfc3570.txt- |..............| | CONTENT | | CONTENT | |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>|INTWRKING| |INTWRKING|<=>| DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| | GATEWAY | | GATEWAY | |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| | | |<=>| ACCOUNTING | ../data/rfc/rfc3570.txt- +--------------+ +---------+ +---------+ +--------------+ ../data/rfc/rfc3570.txt- | ^ | ^ ../data/rfc/rfc3570.txt- v | v | ../data/rfc/rfc3570.txt- +--------------+ +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | | SURROGATES | -- ../data/rfc/rfc3570.txt- has determined that all CONTENT REQUESTS from CLIENTS must be ../data/rfc/rfc3570.txt- serviced locally. Likely due to a large CLIENT base in the LCN, ../data/rfc/rfc3570.txt- multiple CNs determine they would like to engage in DISTRIBUTION ../data/rfc/rfc3570.txt- INTERNETWORKING with the LCN in order to extend control over CONTENT ../data/rfc/rfc3570.txt- objects held in the LCN's SURROGATES. Similarly, the CNs would like ../data/rfc/rfc3570.txt: to engage in ACCOUNTING INTERNETWORKING with the LCN in order to ../data/rfc/rfc3570.txt: receive ACCOUNTING data regarding the usage of the content in the ../data/rfc/rfc3570.txt- local SURROGATES. This scenario is shown in Figure 5. Although this ../data/rfc/rfc3570.txt- diagram shows a DISTRIBUTION INTERNETWORKING connection between CN A ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- +..............| +---------+ +---------+ |..............+ ../data/rfc/rfc3570.txt- | REQ-ROUTING |<=>| |<=>| |<=>| REQ-ROUTING | ../data/rfc/rfc3570.txt- |..............| | CONTENT | | CONTENT | |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION |<=>|INTWRKING|<=>|INTWRKING|<=>| DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| | GATEWAY | | GATEWAY | |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING |<=>| |<=>| |<=>| ACCOUNTING | ../data/rfc/rfc3570.txt- +--------------+ +---------+ +---------+ +--------------+ ../data/rfc/rfc3570.txt- | ^ \^ \^ ^/ ^/ | ^ ../data/rfc/rfc3570.txt- v | \\ \\ // // v | ../data/rfc/rfc3570.txt- +--------------+ \\ \\ // // +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | v\ v\ /v /v | SURROGATES | -- ../data/rfc/rfc3570.txt- +--------------+ ../data/rfc/rfc3570.txt- | LCN A | ../data/rfc/rfc3570.txt- |..............| ../data/rfc/rfc3570.txt- | DISTRIBUTION | ../data/rfc/rfc3570.txt- |..............| ../data/rfc/rfc3570.txt: | ACCOUNTING | ../data/rfc/rfc3570.txt- |--------------| ../data/rfc/rfc3570.txt- | ^ ../data/rfc/rfc3570.txt- v | ../data/rfc/rfc3570.txt- +--------------+ ../data/rfc/rfc3570.txt- | SURROGATES | -- ../data/rfc/rfc3570.txt- Security concerns with respect to Content Internetworking can be ../data/rfc/rfc3570.txt- generally categorized into trust within the system and protection of ../data/rfc/rfc3570.txt- the system from threats. The trust model utilized with Content ../data/rfc/rfc3570.txt- Internetworking is predicated largely on transitive trust between the ../data/rfc/rfc3570.txt- ORIGIN, REQUEST-ROUTING INTERNETWORKING SYSTEM, DISTRIBUTION ../data/rfc/rfc3570.txt: INTERNETWORKING SYSTEM, ACCOUNTING INTERNETWORING SYSTEM, and ../data/rfc/rfc3570.txt- SURROGATES. Network elements within the Content Internetworking ../data/rfc/rfc3570.txt- system are considered to be "insiders" and therefore trusted. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1. Threats to Content Internetworking ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- expecting for that CONTENT. (Note that this threat differs, at least ../data/rfc/rfc3570.txt- in degree, from the substitution of security parameters threat below, ../data/rfc/rfc3570.txt- as Web Content Zones can control whether or not, for example, the ../data/rfc/rfc3570.txt- browser executes unsigned active content.) ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt:5.1.1.2. Delivery of Bad Accounting Information ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- In the case of CONTENT with value, CLIENTs may be inappropriately ../data/rfc/rfc3570.txt- charged for viewing content that they did not successfully access. ../data/rfc/rfc3570.txt- Conversely, some PUBLISHERs may reward CLIENTs for viewing certain ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- CONTENT (e.g., programs that "pay" users to surf the Web). Should a ../data/rfc/rfc3570.txt: CN fail to deliver appropriate accounting information, the CLIENT may ../data/rfc/rfc3570.txt- not receive appropriate credit for viewing the required CONTENT. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1.1.3. Delivery of Bad CONTENT ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- A CN that does not deliver the appropriate CONTENT may provide the -- ../data/rfc/rfc3570.txt-RFC 3570 CDI Scenarios July 2003 ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1.2. Threats to the PUBLISHER ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt:5.1.2.1. Delivery of Bad Accounting Information ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: If a CN does not deliver accurate accounting information, the ../data/rfc/rfc3570.txt- PUBLISHER may be unable to charge CLIENTs for accessing CONTENT or it ../data/rfc/rfc3570.txt: may reward CLIENTs inappropriately. Inaccurate accounting ../data/rfc/rfc3570.txt- information may also cause a PUBLISHER to pay for services (e.g., ../data/rfc/rfc3570.txt- content distribution) that were not actually rendered. Invalid ../data/rfc/rfc3570.txt: accounting information may also effect PUBLISHERs indirectly by, for ../data/rfc/rfc3570.txt- example, undercounting the number of site visitors (and, thus, ../data/rfc/rfc3570.txt- reducing the PUBLISHER's advertising revenue). ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1.2.2. Denial of Service ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt- ORIGIN, should, for example, legal differences between the ../data/rfc/rfc3570.txt- jurisdictions require or permit different treatment of the CONTENT. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1.3. Threats to a CN ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt:5.1.3.1. Bad Accounting Information ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt: If a CN is unable to collect or receive accurate accounting ../data/rfc/rfc3570.txt- information, it may be unable to collect compensation for its ../data/rfc/rfc3570.txt- services from PUBLISHERs. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- -- ../data/rfc/rfc3570.txt-5.1.3.2. Denial of Service ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- Misuse of a CN may make that CN's facilities unavailable, or ../data/rfc/rfc3570.txt- available only at reduced functionality, to legitimate customers or ../data/rfc/rfc3570.txt- the CN provider itself. Denial of service attacks can be targeted at ../data/rfc/rfc3570.txt: a CN's ACCOUNTING SYSTEM, DISTRIBUTION SYSTEM, or REQUEST-ROUTING ../data/rfc/rfc3570.txt- SYSTEM. ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt-5.1.3.3. Transitive Threats ../data/rfc/rfc3570.txt- ../data/rfc/rfc3570.txt- To the extent that a CN acts as either a CLIENT or a PUBLISHER (such -- ../data/rfc/rfc4176.txt- 2. Customer Service Operations and Management ................... 7 ../data/rfc/rfc4176.txt- 2.1. Customer Service Management Information Model .......... 7 ../data/rfc/rfc4176.txt- 2.2. Customer Management Functions .......................... 8 ../data/rfc/rfc4176.txt- 2.2.1. Fault Management ............................... 8 ../data/rfc/rfc4176.txt- 2.2.2. Configuration Management ....................... 9 ../data/rfc/rfc4176.txt: 2.2.3. Accounting ..................................... 9 ../data/rfc/rfc4176.txt- 2.2.4. Performance Management ......................... 10 ../data/rfc/rfc4176.txt- 2.2.5. Security Management ............................ 10 ../data/rfc/rfc4176.txt- 2.3. Customer Management Functional Description ............. 11 ../data/rfc/rfc4176.txt- 2.3.1. L3VPN Service Offering Management .............. 11 ../data/rfc/rfc4176.txt- 2.3.2. L3VPN Service Order Management ................. 12 -- ../data/rfc/rfc4176.txt- 3. Provider Network Manager ..................................... 12 ../data/rfc/rfc4176.txt- 3.1. Provider Network Management Definition ................. 12 ../data/rfc/rfc4176.txt- 3.2. Network Management Functions ........................... 13 ../data/rfc/rfc4176.txt- 3.2.1. Fault Management ............................... 13 ../data/rfc/rfc4176.txt- 3.2.2. Configuration Management ....................... 14 ../data/rfc/rfc4176.txt: 3.2.3. Accounting ..................................... 17 ../data/rfc/rfc4176.txt- 3.2.4. Performance Management ......................... 17 ../data/rfc/rfc4176.txt- 3.2.5. Security Management ............................ 17 ../data/rfc/rfc4176.txt- 4. L3VPN Devices ................................................ 18 ../data/rfc/rfc4176.txt- 4.1. Information Model ...................................... 18 ../data/rfc/rfc4176.txt- 4.2. Communication .......................................... 18 -- ../data/rfc/rfc4176.txt- activated at the egress of the service provider's network. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt-2.2. Customer Management Functions ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- This section presents detailed customer management functions in the ../data/rfc/rfc4176.txt: traditional fault, configuration, accounting, performance, and ../data/rfc/rfc4176.txt- security (FCAPS) management categories. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt-2.2.1. Fault Management ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- The fault management function of the Customer Service Manager relies -- ../data/rfc/rfc4176.txt- fields such as the customer premises that need to be interconnected ../data/rfc/rfc4176.txt- via the VPN, and a QoS agreement template would contain fields such ../data/rfc/rfc4176.txt- as one-way transit delay, inter-packet delay variation, throughput, ../data/rfc/rfc4176.txt- and packet loss thresholds. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt:2.2.3. Accounting ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt: The accounting management function of the Customer Manager is ../data/rfc/rfc4176.txt- provided with network layer measurements information and manages this ../data/rfc/rfc4176.txt- information. The Customer Manager is responsible for the following ../data/rfc/rfc4176.txt: accounting functions: ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt: o Retrieval of accounting information from the Provider Network ../data/rfc/rfc4176.txt- Manager ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- o Analysis, storage, and administration of measurements ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- Some providers may require near-real time reporting of measurement -- ../data/rfc/rfc4176.txt- management service. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- If an SP supports "Dynamic Bandwidth Management" service, then the ../data/rfc/rfc4176.txt- schedule and the amount of the bandwidth required to perform ../data/rfc/rfc4176.txt- requested bandwidth allocation change(s) must be traceable for ../data/rfc/rfc4176.txt: monitoring and accounting purposes. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt: Solutions should state compliance with accounting requirements, as ../data/rfc/rfc4176.txt- described in section 1.7 of [RFC2975]. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- -- ../data/rfc/rfc4176.txt-2.2.4. Performance Management ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- From the Customer Manager's perspective, performance management ../data/rfc/rfc4176.txt- includes functions involved in the determination of the conformance ../data/rfc/rfc4176.txt- level with the Service Level Specifications, such as QoS and ../data/rfc/rfc4176.txt: availability measurements. The objective is to correlate accounting ../data/rfc/rfc4176.txt- information with performance and fault management information to ../data/rfc/rfc4176.txt- produce billing that takes into account SLA provisions for periods of ../data/rfc/rfc4176.txt- time where the service level objectives are not met. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- The performance information should reflect the quality of the -- ../data/rfc/rfc4176.txt- service, the number and size of virtual switching and forwarding ../data/rfc/rfc4176.txt- table instances should be provisioned. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- If an SP supports a "Dynamic Bandwidth Management" service, then the ../data/rfc/rfc4176.txt- dates, times, amounts, and intervals required to perform requested ../data/rfc/rfc4176.txt: bandwidth allocation change(s) may be traceable for accounting ../data/rfc/rfc4176.txt- purposes. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- -- ../data/rfc/rfc4176.txt-3.2.2.6. Provisioning Hybrid VPN Services ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- Configuration of interworking L3VPN solutions should also be ../data/rfc/rfc4176.txt- supported, taking security and end-to-end QoS issues into account. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt:3.2.3. Accounting ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- The Provider Network Manager is responsible for the measurements of ../data/rfc/rfc4176.txt- resource utilization. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt-3.2.4. Performance Management -- ../data/rfc/rfc4176.txt- and their valuable suggestions. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt-7. Normative References ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc4176.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the ../data/rfc/rfc4176.txt- Internet Protocol", RFC 2401, November 1998. ../data/rfc/rfc4176.txt- ../data/rfc/rfc4176.txt- [RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and -- ../data/rfc/rfc6572.txt- Furthermore, this document defines the RADIUS-based interface between ../data/rfc/rfc6572.txt- the local mobility anchor and the AAA RADIUS server for authorizing ../data/rfc/rfc6572.txt- received Proxy Binding Update messages for the mobile node's mobility ../data/rfc/rfc6572.txt- session. In addition to the interactions related to mobility session ../data/rfc/rfc6572.txt- setup, this document defines the baseline for the mobile access ../data/rfc/rfc6572.txt: gateway and the local mobility anchor generated accounting. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt-Status of This Memo ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- This is an Internet Standards Track document. ../data/rfc/rfc6572.txt- -- ../data/rfc/rfc6572.txt- 5.1. Interface Operations ......................................26 ../data/rfc/rfc6572.txt- 5.2. Table of Attributes .......................................27 ../data/rfc/rfc6572.txt- 6. LMA to RADIUS AAA Interface ....................................28 ../data/rfc/rfc6572.txt- 6.1. Interface Operations ......................................28 ../data/rfc/rfc6572.txt- 6.2. Table of Attributes .......................................30 ../data/rfc/rfc6572.txt: 7. Accounting .....................................................31 ../data/rfc/rfc6572.txt: 7.1. Accounting at LMA .........................................31 ../data/rfc/rfc6572.txt: 7.2. Accounting at MAG .........................................32 ../data/rfc/rfc6572.txt- 7.3. Table of Attributes .......................................32 ../data/rfc/rfc6572.txt- 8. Security Considerations ........................................32 ../data/rfc/rfc6572.txt- 9. IANA Consideration .............................................33 ../data/rfc/rfc6572.txt- 9.1. Attribute Type Codes ......................................33 ../data/rfc/rfc6572.txt- 9.2. Namespaces ................................................33 -- ../data/rfc/rfc6572.txt- the messaging interface needed between them for the operation of ../data/rfc/rfc6572.txt- PMIP6 is beyond the scope of this document. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- Home AAA (HAAA): ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: An Authentication, Authorization, and Accounting (AAA) server ../data/rfc/rfc6572.txt- located in the MN's home network. This sever has access to the ../data/rfc/rfc6572.txt- mobile node's policy profiles. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- Visited AAA (VAAA): ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: An Authentication, Authorization, and Accounting (AAA) server ../data/rfc/rfc6572.txt- located in the MN's visited network. The VAAA server takes the ../data/rfc/rfc6572.txt- role of a proxy-server, forwarding the received AAA service ../data/rfc/rfc6572.txt- request to the HAAA server in the mobile node's home network and ../data/rfc/rfc6572.txt- relaying the response to the requesting node, after applying any ../data/rfc/rfc6572.txt- local access network policies. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- Local AAA (LAAA): ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: An Authentication, Authorization, and Accounting proxy located in ../data/rfc/rfc6572.txt- the local network. In a roaming case, the local AAAA has the ../data/rfc/rfc6572.txt- visited AAA role. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt-3. Solution Overview ../data/rfc/rfc6572.txt- -- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt-4.19. Chargeable-User-Identity ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- The Chargeable-User-Identity attribute, or CUI, (Type value 89) is a ../data/rfc/rfc6572.txt- unique, temporary handle used as means to, for example, correlate ../data/rfc/rfc6572.txt: authentication, accounting, and bill post-processing for a particular ../data/rfc/rfc6572.txt- chargeable subscriber. The CUI format and use follows guidelines ../data/rfc/rfc6572.txt- defined by [RFC4372]. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- In the scope of this document, the CUI attribute MAY be present in ../data/rfc/rfc6572.txt- the Access-Request. The CUI MAY also be present in the Access- ../data/rfc/rfc6572.txt- Accept. The CUI MUST be present in the Access-Accept if it was ../data/rfc/rfc6572.txt- present in the Access-Request. If the use of the Chargeable-User- ../data/rfc/rfc6572.txt- Identity attribute is supported, then the MAG and/or the LMA commits ../data/rfc/rfc6572.txt- to include the Chargeable-User-Identity attribute in all subsequent ../data/rfc/rfc6572.txt: RADIUS Accounting packets they send for the given user. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- -- ../data/rfc/rfc6572.txt-6.1. Interface Operations ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- The LMA-to-HAAA interface may be used for multiple purposes. These ../data/rfc/rfc6572.txt- include the authorization of the incoming PBU, updating the LMA ../data/rfc/rfc6572.txt- address to the HAAA, delegating the assignment of the MN-HNP or the ../data/rfc/rfc6572.txt: IPv4-HoA to the HAAA, and accounting and PMIPv6 session management. ../data/rfc/rfc6572.txt- The primary purpose of this interface is to update the HAAA with the ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- -- ../data/rfc/rfc6572.txt- 0-1 0-1 0 0 155 PMIP6-Home-IPv4-HoA ../data/rfc/rfc6572.txt- 0-1 0-1 0 0 156 PMIP6-Visited-IPv4-HoA ../data/rfc/rfc6572.txt- 0-1 0-1 0 0 161 PMIP6-Home-IPv4-Gateway ../data/rfc/rfc6572.txt- 0-1 0-1 0 0 162 PMIP6-Visited-IPv4-Gateway ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt:7. Accounting ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- Radius-based interfaces at the MAG and LMA with the AAA server ../data/rfc/rfc6572.txt- enables the metering of traffic associated with the MN, commonly ../data/rfc/rfc6572.txt: called "accounting". If accounting is turned on in the mobile node's ../data/rfc/rfc6572.txt- policy profile, the local routing SHOULD NOT be enabled [RFC5213]. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt:7.1. Accounting at LMA ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: The accounting at the LMA to AAA server interface is based on ../data/rfc/rfc6572.txt- [RFC2865] and [RFC2866]. This interface MUST support the transfer of ../data/rfc/rfc6572.txt: accounting records needed for service control and charging. These ../data/rfc/rfc6572.txt- records should include (but may not be limited to) the following: ../data/rfc/rfc6572.txt- time of binding cache entry creation and deletion, number of the ../data/rfc/rfc6572.txt- octets sent and received by the MN over the bi-directional tunnel, ../data/rfc/rfc6572.txt- etc. ../data/rfc/rfc6572.txt- -- ../data/rfc/rfc6572.txt-Xia, et al. Standards Track [Page 31] ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt-RFC 6572 RADIUS PMIPv6 June 2012 ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt:7.2. Accounting at MAG ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: The accounting at the MAG to AAA server interface is based on ../data/rfc/rfc6572.txt- [RFC2865] and [RFC2866]. The interface MUST also support the ../data/rfc/rfc6572.txt: transfer of accounting records that should include the following: ../data/rfc/rfc6572.txt- time of binding cache entry creation and deletion, number of the ../data/rfc/rfc6572.txt- octets sent and received by the MN over the bi-directional tunnel, ../data/rfc/rfc6572.txt- etc. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- If there is data traffic between a visiting MN and a correspondent ../data/rfc/rfc6572.txt- node that is locally attached to an access link connected to the same ../data/rfc/rfc6572.txt- MAG, the mobile access gateway MAY optimize on the delivery efforts ../data/rfc/rfc6572.txt- by locally routing the packets instead of using reverse tunneling to ../data/rfc/rfc6572.txt- the mobile node's LMA. In this case, the local data traffic too MUST ../data/rfc/rfc6572.txt: be reported to AAA Accounting servers by means of RADIUS protocol. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt-7.3. Table of Attributes ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- The following table provides a list of attributes that may be ../data/rfc/rfc6572.txt: included in the RADIUS Accounting messages. These attributes are to ../data/rfc/rfc6572.txt: complement the set of accounting attributes already required by ../data/rfc/rfc6572.txt- [RFC2866] and [RFC2869]. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: Accounting ../data/rfc/rfc6572.txt- Request # Attribute ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- 0-1 145 Mobile-Node-Identifier ../data/rfc/rfc6572.txt- 0-1 146 Service-Selection ../data/rfc/rfc6572.txt- 0-1 147 PMIP6-Home-LMA-IPv6-Address -- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- Regarding the privacy threats associated with sending MN-specific ../data/rfc/rfc6572.txt- information between the MAG and AAA server and between the LMA and ../data/rfc/rfc6572.txt- AAA server, considerations of the RADIUS Base protocol [RFC2865], ../data/rfc/rfc6572.txt: RADIUS Accounting [RFC2866], and the RADIUS EAP application [RFC3579] ../data/rfc/rfc6572.txt- are applicable to this document. The MAG, LMA, and AAA server SHOULD ../data/rfc/rfc6572.txt- avoid including attributes containing personally identifying ../data/rfc/rfc6572.txt- information such as a MN's Interface ID, link-layer address, or NAI, ../data/rfc/rfc6572.txt- except as needed and SHOULD pay special attention if identity hiding ../data/rfc/rfc6572.txt- is desired. -- ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication ../data/rfc/rfc6572.txt- Dial In User Service) Support For Extensible ../data/rfc/rfc6572.txt- Authentication Protocol (EAP)", RFC 3579, September 2003. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS ../data/rfc/rfc6572.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc6572.txt- ../data/rfc/rfc6572.txt- [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. -- ../data/rfc/rfc4187.txt-RFC 4187 EAP-AKA Authentication January 2006 ../data/rfc/rfc4187.txt- ../data/rfc/rfc4187.txt- ../data/rfc/rfc4187.txt- AAA protocol ../data/rfc/rfc4187.txt- ../data/rfc/rfc4187.txt: Authentication, Authorization and Accounting protocol ../data/rfc/rfc4187.txt- ../data/rfc/rfc4187.txt- AKA ../data/rfc/rfc4187.txt- ../data/rfc/rfc4187.txt- Authentication and Key Agreement ../data/rfc/rfc4187.txt- -- ../data/rfc/rfc739.txt- 1 1 Reserved ../data/rfc/rfc739.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc739.txt- 72-151 110-227 Reserved ../data/rfc/rfc739.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc739.txt- 153 231 TIP Status Reporting ../data/rfc/rfc739.txt: 154 232 TIP Accounting ../data/rfc/rfc739.txt- 155-158 233-236 Internet Protocol [35,36] ../data/rfc/rfc739.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc739.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc739.txt- 196-255 304-377 Experimental Protocols ../data/rfc/rfc739.txt- -- ../data/rfc/rfc7014.txt-RFC 7014 Flow Selection Techniques September 2013 ../data/rfc/rfc7014.txt- ../data/rfc/rfc7014.txt- ../data/rfc/rfc7014.txt- of a representative subset of flows in order to estimate parameters ../data/rfc/rfc7014.txt- of the population. An adversary may have incentives to influence the ../data/rfc/rfc7014.txt: selection of flows, for example, to circumvent accounting or to avoid ../data/rfc/rfc7014.txt- the detection of packets that are part of an attack. ../data/rfc/rfc7014.txt- ../data/rfc/rfc7014.txt- Security considerations concerning the choice of a hash function for ../data/rfc/rfc7014.txt- Hash-based packet selection have been discussed in Section 6.2.3 of ../data/rfc/rfc7014.txt- [RFC5475] and are also appropriate for Hash-based Flow Selection. -- ../data/rfc/rfc7014.txt- [Dw01] Dworkin, M., "Recommendation for Block Cipher Modes of ../data/rfc/rfc7014.txt- Operation - Methods and Techniques", NIST Special ../data/rfc/rfc7014.txt- Publication 800-38A, December 2001. ../data/rfc/rfc7014.txt- ../data/rfc/rfc7014.txt- [EsVa01] Estan, C. and G,. Varghese, "New Directions in Traffic ../data/rfc/rfc7014.txt: Measurement and Accounting: Focusing on the Elephants, ../data/rfc/rfc7014.txt- Ignoring the Mice", ACM SIGCOMM Internet Measurement ../data/rfc/rfc7014.txt- Workshop (IMW) 2001, San Francisco, CA, USA, ../data/rfc/rfc7014.txt- November 2001. ../data/rfc/rfc7014.txt- ../data/rfc/rfc7014.txt- [IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities -- ../data/rfc/rfc2828.txt- - "XTACACS": The name of Cisco Corporation's implementation, ../data/rfc/rfc2828.txt- which enhances and extends the original TACACS. ../data/rfc/rfc2828.txt- ../data/rfc/rfc2828.txt- - "TACACS+": A TCP-based protocol that improves on TACACS and ../data/rfc/rfc2828.txt- XTACACS by separating the functions of authentication, ../data/rfc/rfc2828.txt: authorization, and accounting and by encrypting all traffic ../data/rfc/rfc2828.txt- between the network access server and authentication server. It ../data/rfc/rfc2828.txt- is extensible to allow any authentication mechanism to be used ../data/rfc/rfc2828.txt- with TACACS+ clients. ../data/rfc/rfc2828.txt- ../data/rfc/rfc2828.txt- $ TESS -- ../data/rfc/rfc8045.txt- IPv4 Clients to IPv4 Servers (NAT44) [RFC3022], NAT from IPv6 Clients ../data/rfc/rfc8045.txt- to IPv4 Servers (NAT64) [RFC6146], or Dual-Stack Lite Address Family ../data/rfc/rfc8045.txt- Transition Router (AFTR) [RFC6333] function. In such case, the CGN ../data/rfc/rfc8045.txt- IP transport port (e.g., TCP/UDP port) mapping behaviors can be part ../data/rfc/rfc8045.txt- of the configuration information sent from the RADIUS server to the ../data/rfc/rfc8045.txt: NAS/BNG. As part of the accounting information sent from the NAS/BNG ../data/rfc/rfc8045.txt- to a RADIUS server, the NAS/BNG may also report the IP port mapping ../data/rfc/rfc8045.txt- behavior applied by the CGN to a user session. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- When IP packets traverse the CGN, it performs mapping on the IP ../data/rfc/rfc8045.txt- transport (e.g., TCP/UDP) source port as required. An IP transport -- ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- This document proposes three new attributes as RADIUS protocol ../data/rfc/rfc8045.txt- extensions; they are used for separate purposes, as follows: ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- 1. IP-Port-Limit-Info: This attribute may be carried in a RADIUS ../data/rfc/rfc8045.txt: Access-Accept, Access-Request, Accounting-Request, or CoA-Request ../data/rfc/rfc8045.txt- packet. The purpose of this attribute is to limit the total ../data/rfc/rfc8045.txt- number of IP source transport ports allocated to a user and ../data/rfc/rfc8045.txt- associated with one or more IPv4 or IPv6 addresses. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- 2. IP-Port-Range: This attribute may be carried in a RADIUS ../data/rfc/rfc8045.txt: Accounting-Request packet. The purpose of this attribute is for ../data/rfc/rfc8045.txt- an address-sharing device (e.g., a CGN) to report to the RADIUS ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt-Cheng, et al. Standards Track [Page 4] -- ../data/rfc/rfc8045.txt- server the range of IP source transport ports that have been ../data/rfc/rfc8045.txt- allocated or deallocated for a user. The port range is bound to ../data/rfc/rfc8045.txt- an external IPv4 address. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- 3. IP-Port-Forwarding-Map: This attribute may be carried in RADIUS ../data/rfc/rfc8045.txt: Access-Accept, Access-Request, Accounting-Request, or CoA-Request ../data/rfc/rfc8045.txt- packet. The purpose of this attribute is to specify how an IP ../data/rfc/rfc8045.txt- internal source transport port, together with its internal IPv4 ../data/rfc/rfc8045.txt- or IPv6 address, are mapped to an external source transport port ../data/rfc/rfc8045.txt- along with the external IPv4 address. ../data/rfc/rfc8045.txt- -- ../data/rfc/rfc8045.txt- preferred maximum number of IP ports indicated by the device ../data/rfc/rfc8045.txt- supporting port ranges co-located with the NAS, e.g., a CGN or NAT64. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Limit-Info Attribute MAY appear in a CoA-Request packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt: The IP-Port-Limit-Info Attribute MAY appear in an Accounting-Request ../data/rfc/rfc8045.txt- packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Limit-Info Attribute MUST NOT appear in any other RADIUS ../data/rfc/rfc8045.txt- packet. ../data/rfc/rfc8045.txt- -- ../data/rfc/rfc8045.txt- end user. This TLV MUST be included in the IP-Port-Limit-Info ../data/rfc/rfc8045.txt- Attribute. Refer to Section 3.2.2. This limit applies to all ../data/rfc/rfc8045.txt- mappings that can be instantiated by an underlying address- ../data/rfc/rfc8045.txt- sharing device without soliciting any external entity. In ../data/rfc/rfc8045.txt- particular, this limit does not include the ports that are ../data/rfc/rfc8045.txt: instructed by an Authentication, Authorization, and Accounting ../data/rfc/rfc8045.txt- (AAA) server. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- IP-Port-Ext-IPv4-Addr TLV ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- This TLV contains the IPv4 address that is associated with the -- ../data/rfc/rfc8045.txt- number. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The information contained in the IP-Port-Range Attribute is sent to ../data/rfc/rfc8045.txt- RADIUS server. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt: The IP-Port-Range Attribute MAY appear in an Accounting-Request ../data/rfc/rfc8045.txt- packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Range Attribute MUST NOT appear in any other RADIUS ../data/rfc/rfc8045.txt- packet. ../data/rfc/rfc8045.txt- -- ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Forwarding-Map Attribute MAY appear in a CoA-Request ../data/rfc/rfc8045.txt- packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Forwarding-Map Attribute MAY also appear in an ../data/rfc/rfc8045.txt: Accounting-Request packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The IP-Port-Forwarding-Map Attribute MUST NOT appear in any other ../data/rfc/rfc8045.txt- RADIUS packet. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- -- ../data/rfc/rfc8045.txt- the NAS, and proper configuration is accomplished on the CGN device ../data/rfc/rfc8045.txt- for that user. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Also, a CGN operation status such as CGN port allocation and ../data/rfc/rfc8045.txt- deallocation for a specific user on the BNG can also be transmitted ../data/rfc/rfc8045.txt: back to the RADIUS server for accounting purposes using the RADIUS ../data/rfc/rfc8045.txt- protocol. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- The RADIUS protocol has already been widely deployed in broadband ../data/rfc/rfc8045.txt- networks to manage BNG, thus the functionality described in this ../data/rfc/rfc8045.txt- specification introduces little overhead to the existing network -- ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- | (NAT64 decides to allocate | ../data/rfc/rfc8045.txt- | a TCP/UDP port range for the user) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt: | |-----Accounting-Request----->| ../data/rfc/rfc8045.txt- | | (IP-Port-Range | ../data/rfc/rfc8045.txt- | | for allocation) | ../data/rfc/rfc8045.txt- ... ... ... ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- | (NAT64 decides to deallocate | ../data/rfc/rfc8045.txt- | a TCP/UDP port range for the user) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt: | |-----Accounting-Request----->| ../data/rfc/rfc8045.txt- | | (IP-Port-Range | ../data/rfc/rfc8045.txt- | | for deallocation) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Figure 17: RADIUS Message Flow for Reporting NAT64 -- ../data/rfc/rfc8045.txt- | associate it with the | ../data/rfc/rfc8045.txt- | internal IP address | ../data/rfc/rfc8045.txt- | and external IP address) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt: | |------Accounting-Request------>| ../data/rfc/rfc8045.txt- | | (IP-Port-Forwarding-Map) | ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Figure 18: RADIUS Message Flow for Configuring ../data/rfc/rfc8045.txt- a Port Forwarding Mapping ../data/rfc/rfc8045.txt- -- ../data/rfc/rfc8045.txt- consecutive ports, from 3500 to 3540, inclusively, and also assigns a ../data/rfc/rfc8045.txt- shared IPv4 address 192.0.2.15 for Joe. The CGN device also randomly ../data/rfc/rfc8045.txt- selects one port from the allocated range (say, 3519) and uses that ../data/rfc/rfc8045.txt- port to replace the original source port in outbound IP packets. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt: For accounting purposes, the CGN device passes this port range ../data/rfc/rfc8045.txt- (3500-3540) and the shared IPv4 address 192.0.2.15 together to the ../data/rfc/rfc8045.txt- RADIUS server using IP-Port-Range Attribute carried by an ../data/rfc/rfc8045.txt: Accounting-Request message. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- When Joe works on more applications with more outbound IP mappings ../data/rfc/rfc8045.txt- and the port pool (3500-3540) is close to exhaust, the CGN device ../data/rfc/rfc8045.txt- allocates a second port pool (8500-8800) in a similar fashion and ../data/rfc/rfc8045.txt- also passes the new port range (8500-8800) and IPv4 address ../data/rfc/rfc8045.txt- 192.0.2.15 together to the RADIUS server using IP-Port-Range ../data/rfc/rfc8045.txt: Attribute carried by an Accounting-Request message. Note when the ../data/rfc/rfc8045.txt- CGN allocates more ports, it needs to assure that the total number of ../data/rfc/rfc8045.txt- ports allocated for Joe is within the limit. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Joe decides to upgrade his service agreement with more TCP/UDP ports ../data/rfc/rfc8045.txt- allowed (up to 1000 ports). The ISP updates the information in Joe's -- ../data/rfc/rfc8045.txt- applications. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- When Joe is not using his service, most of the IP mappings are closed ../data/rfc/rfc8045.txt- with their associated TCP/UDP ports released on the CGN device, which ../data/rfc/rfc8045.txt- then sends the relevant information back to the RADIUS server using ../data/rfc/rfc8045.txt: the IP-Port-Range Attribute carried by the Accounting-Request ../data/rfc/rfc8045.txt- message. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Throughout Joe's connection with his ISP, applications can ../data/rfc/rfc8045.txt- communicate with his web cam at home from the external realm, thus ../data/rfc/rfc8045.txt- directly traversing the pre-configured mapping on the CGN device. -- ../data/rfc/rfc8045.txt- |<---IP@----| | | ../data/rfc/rfc8045.txt- | | | | ../data/rfc/rfc8045.txt- | (CPE assigns a TCP/UDP port | ../data/rfc/rfc8045.txt- | range for this visiting UE) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt: | |--Accounting-Request-...------------------->| ../data/rfc/rfc8045.txt- | | (IP-Port-Range | ../data/rfc/rfc8045.txt- | | for allocation) | ../data/rfc/rfc8045.txt- ... | ... ... ../data/rfc/rfc8045.txt- | | | | ../data/rfc/rfc8045.txt- | | | | ../data/rfc/rfc8045.txt- | (CPE withdraws a TCP/UDP port | ../data/rfc/rfc8045.txt- | range for a visiting UE) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt: | |--Accounting-Request-...------------------->| ../data/rfc/rfc8045.txt- | | (IP-Port-Range | ../data/rfc/rfc8045.txt- | | for deallocation) | ../data/rfc/rfc8045.txt- | | | ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- Figure 20: RADIUS Message Flow for Reporting CPE -- ../data/rfc/rfc8045.txt- length is deployment and implementation dependent. This identifier ../data/rfc/rfc8045.txt- might carry privacy-sensitive information. It is therefore ../data/rfc/rfc8045.txt- RECOMMENDED to utilize identifiers that do not have such privacy ../data/rfc/rfc8045.txt- concerns. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt: If there is any error in a RADIUS Accounting-Request packet sent ../data/rfc/rfc8045.txt- from a RADIUS client to the server, the RADIUS server MUST NOT send ../data/rfc/rfc8045.txt- a response to the client (refer to [RFC2866]). Examples of the ../data/rfc/rfc8045.txt- errors include the erroneous port range in the ../data/rfc/rfc8045.txt- IP-Port-Range Attribute, inconsistent port mapping in the ../data/rfc/rfc8045.txt- IP-Port-Forwarding-Map Attribute, etc. -- ../data/rfc/rfc8045.txt- [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., ../data/rfc/rfc8045.txt- and E. Lear, "Address Allocation for Private Internets", ../data/rfc/rfc8045.txt- BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, ../data/rfc/rfc8045.txt- <http://www.rfc-editor.org/info/rfc1918>. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc8045.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc8045.txt- <http://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc8045.txt- ../data/rfc/rfc8045.txt- [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network ../data/rfc/rfc8045.txt- Address Translator (Traditional NAT)", RFC 3022, -- ../data/rfc/rfc5619.txt- As the softwire deployment model, the following three cases as shown ../data/rfc/rfc5619.txt- in Figure 1 should be considered. Cases 2 and 3 are typical for a ../data/rfc/rfc5619.txt- nomadic node, but are also applicable to a stationary node. In order ../data/rfc/rfc5619.txt- to securely connect a legitimate SI and SC to each other, the ../data/rfc/rfc5619.txt- authentication process between SI and SC is normally performed using ../data/rfc/rfc5619.txt: Authentication, Authorization, and Accounting (AAA) servers. ../data/rfc/rfc5619.txt- ../data/rfc/rfc5619.txt- ../data/rfc/rfc5619.txt- ../data/rfc/rfc5619.txt- ../data/rfc/rfc5619.txt- -- ../data/rfc/rfc5619.txt- and the visited AAA server may consist of several AAA proxies. In ../data/rfc/rfc5619.txt- this case, the AAA proxy threat model SHOULD be considered [RFC2607]. ../data/rfc/rfc5619.txt- A malicious AAA proxy may launch passive or active security attacks. ../data/rfc/rfc5619.txt- The trustworthiness of proxies in AAA proxy chains will weaken when ../data/rfc/rfc5619.txt- the hop counts of the proxy chain is longer. For example, the ../data/rfc/rfc5619.txt: accounting information exchanged among AAA proxies is attractive for ../data/rfc/rfc5619.txt- an adversary. The communication between a home AAA server and a ../data/rfc/rfc5619.txt- visited AAA server MUST be protected. ../data/rfc/rfc5619.txt- ../data/rfc/rfc5619.txt-3.3. Softwire Security Threat Scenarios ../data/rfc/rfc5619.txt- -- ../data/rfc/rfc3552.txt- ../data/rfc/rfc3552.txt- ../data/rfc/rfc3552.txt- trusted in the given context. For instance, users who possess ../data/rfc/rfc3552.txt- certificates issued by the Acme MIS CA may have different web access ../data/rfc/rfc3552.txt- privileges than users who possess certificates issued by the Acme ../data/rfc/rfc3552.txt: Accounting CA, even though both of these CAs are "trusted" by the ../data/rfc/rfc3552.txt- Acme web server. ../data/rfc/rfc3552.txt- ../data/rfc/rfc3552.txt- Mechanisms for enforcing these more complicated properties have not ../data/rfc/rfc3552.txt- yet been completely explored. One approach is simply to attach ../data/rfc/rfc3552.txt- policies to ACLs describing what sorts of certificates are trusted. -- ../data/rfc/rfc160.txt- Response to RFC 116 5849 131 ../data/rfc/rfc160.txt- Typographical Error in RFC 107 6708 132 ../data/rfc/rfc160.txt- File Transfer and Error Recovery 6710 133 ../data/rfc/rfc160.txt- Network Meeting 6711 134 ../data/rfc/rfc160.txt- Response to NWG/RFC 110 6712 135 ../data/rfc/rfc160.txt: Host Accounting and Administrative Procedures 6713 136 ../data/rfc/rfc160.txt- TELNET Protocol - A Proposed Document 6714 137 ../data/rfc/rfc160.txt- Status Report on Proposed Data Reconfiguration 6715 138 ../data/rfc/rfc160.txt- Discussion of Proposed TELNET 6717 139 ../data/rfc/rfc160.txt- Agenda for May NWG Meeting 6725 140 ../data/rfc/rfc160.txt- Comments on RFC 114 (A File Transfer Protocol) 6726 141 -- ../data/rfc/rfc1322.txt- time. The setup protocol defines packet formats and the processing ../data/rfc/rfc1322.txt- of route installation request packets (i.e, setup packets). When a ../data/rfc/rfc1322.txt- source generates a setup packet, the first border router along the ../data/rfc/rfc1322.txt- specified source route checks the setup request, and if accepted, ../data/rfc/rfc1322.txt- installs routing information; this information includes a path ID, ../data/rfc/rfc1322.txt: the previous and next hops, and whatever other accounting-related ../data/rfc/rfc1322.txt- information the particular domain requires. The setup packet is ../data/rfc/rfc1322.txt- passed on to the next BR in the domain-level source route, and the ../data/rfc/rfc1322.txt- same procedure is carried out [Footnote: The setup packet may be ../data/rfc/rfc1322.txt- forwarded optimistically, i.e., before checks are completed, to ../data/rfc/rfc1322.txt- reduce latency.]. When the setup packet reaches the destination, an -- ../data/rfc/rfc333.txt- network. The library process has a RECEIVE from ANY always pending ../data/rfc/rfc333.txt- at a well-known port. Eventually, some process sends a message to ../data/rfc/rfc333.txt- the library process' well-known-port. This message includes the data ../data/rfc/rfc333.txt- to be processed, a port to use for sending the answer, and the money. ../data/rfc/rfc333.txt- The library process takes some of the money and sends it to the ../data/rfc/rfc333.txt: well-known port of the accounting process which itself has a RECEIVE ../data/rfc/rfc333.txt- from ANY pending. The library process then processes the data and ../data/rfc/rfc333.txt- sends the answer back to the process which requested the service ../data/rfc/rfc333.txt- using a SEND to SPECIFIC message which rendezvous at the destination ../data/rfc/rfc333.txt- where there is already a RECEIVE from SPECIFIC pending. Of course, ../data/rfc/rfc333.txt- in this message besides the answer, any change the requesting process -- ../data/rfc/rfc8994.txt- the data plane are configured correctly, will the data plane and the ../data/rfc/rfc8994.txt- OAM and/or control plane work as expected. ../data/rfc/rfc8994.txt- ../data/rfc/rfc8994.txt- Data plane connectivity can be affected by errors and faults. ../data/rfc/rfc8994.txt- Examples include misconfigurations that make AAA (Authentication, ../data/rfc/rfc8994.txt: Authorization, and Accounting) servers unreachable or that can lock ../data/rfc/rfc8994.txt- an administrator out of a device; routing or addressing issues can ../data/rfc/rfc8994.txt- make a device unreachable; and shutting down interfaces over which a ../data/rfc/rfc8994.txt- current management session is running can lock an administrator ../data/rfc/rfc8994.txt- irreversibly out of the device. Traditionally only out-of-band ../data/rfc/rfc8994.txt- access via a serial console or Ethernet management port can help -- ../data/rfc/rfc2378.txt- Prints the message of the day and the current status of the ../data/rfc/rfc2378.txt- nameserver. ../data/rfc/rfc2378.txt- ../data/rfc/rfc2378.txt- C: status ../data/rfc/rfc2378.txt- S: 100:Qi server $Revision: 1.6 $ ../data/rfc/rfc2378.txt: S: 100:Ph passwords may be obtained at CCSO Accounting, ../data/rfc/rfc2378.txt- S: 100:1420 Digital Computer Lab, between 8:30 and 5 Monday-Friday. ../data/rfc/rfc2378.txt- S: 100:Be sure to bring your U of I ID card. ../data/rfc/rfc2378.txt- S: 200:Database ready ../data/rfc/rfc2378.txt- ../data/rfc/rfc2378.txt-3.2. siteinfo -- ../data/rfc/rfc3675.txt- Internet governance, and raise concerns about forced speech and ../data/rfc/rfc3675.txt- self-labeling. ../data/rfc/rfc3675.txt- ../data/rfc/rfc3675.txt- In fact, the ultimate arbiter of generic top-level domain names -- at ../data/rfc/rfc3675.txt- least currently -- is not ICANN, but the U.S. government. The U.S. ../data/rfc/rfc3675.txt: Congress' General Accounting Office in July 2000 reported that the ../data/rfc/rfc3675.txt- Commerce Department continues to be responsible for domain names ../data/rfc/rfc3675.txt- allowed by the authoritative root [GAO]. The GAO's auditors ../data/rfc/rfc3675.txt- concluded it was unclear whether the Commerce Department has the ../data/rfc/rfc3675.txt- "requisite authority" under current law to transfer that ../data/rfc/rfc3675.txt- responsibility to ICANN. -- ../data/rfc/rfc33.txt- contributed to the following design philosophy. ../data/rfc/rfc33.txt- ../data/rfc/rfc33.txt- First, because the computers in the network have independent purposes ../data/rfc/rfc33.txt- it is necessary to preserve decentralized administrative control of ../data/rfc/rfc33.txt- the various computers. Since all of the time-sharing supervisors ../data/rfc/rfc33.txt: possess elaborate and definite accounting and resource allocation ../data/rfc/rfc33.txt- ../data/rfc/rfc33.txt- ../data/rfc/rfc33.txt- ../data/rfc/rfc33.txt-Crocker, et. al. [Page 4] ../data/rfc/rfc33.txt- -- ../data/rfc/rfc5226.txt- To ensure adequate community review, such documents are ../data/rfc/rfc5226.txt- shepherded through the IESG as AD-sponsored (or WG) ../data/rfc/rfc5226.txt- documents with an IETF Last Call. ../data/rfc/rfc5226.txt- ../data/rfc/rfc5226.txt- Examples: IPSECKEY Algorithm Types [RFC4025], ../data/rfc/rfc5226.txt: Accounting-Auth-Method AVP values in DIAMETER [RFC4005], TLS ../data/rfc/rfc5226.txt- Handshake Hello Extensions [RFC4366]. ../data/rfc/rfc5226.txt- ../data/rfc/rfc5226.txt- Standards Action - Values are assigned only for Standards Track ../data/rfc/rfc5226.txt- RFCs approved by the IESG. ../data/rfc/rfc5226.txt- -- ../data/rfc/rfc6678.txt- [RFC4017] Stanley, D., Walker, J., and B. Aboba, "Extensible ../data/rfc/rfc6678.txt- Authentication Protocol (EAP) Method Requirements for ../data/rfc/rfc6678.txt- Wireless LANs", RFC 4017, March 2005. ../data/rfc/rfc6678.txt- ../data/rfc/rfc6678.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6678.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc6678.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc6678.txt- ../data/rfc/rfc6678.txt- [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and ../data/rfc/rfc6678.txt- W. Polk, "Server-Based Certificate Validation Protocol ../data/rfc/rfc6678.txt- (SCVP)", RFC 5055, December 2007. -- ../data/rfc/rfc6463.txt- transparent at the PMIPv6 protocol level and do not depend on the ../data/rfc/rfc6463.txt- functionality defined in this specification. ../data/rfc/rfc6463.txt- ../data/rfc/rfc6463.txt- The runtime LMA assignment functionality does not depend on the ../data/rfc/rfc6463.txt- Domain Name System (DNS) or the Authentication, Authorization, and ../data/rfc/rfc6463.txt: Accounting (AAA) infrastructure for the assignment of the LMA to ../data/rfc/rfc6463.txt- which the mobile node (MN) is anchored. All MAGs and LMAs (either ../data/rfc/rfc6463.txt- rfLMAs or r2LMAs; see Section 2.2) have to belong to the same PMIPv6 ../data/rfc/rfc6463.txt- domain. ../data/rfc/rfc6463.txt- ../data/rfc/rfc6463.txt- There are a number of reasons why the runtime LMA assignment is a -- ../data/rfc/rfc4396.txt- Every sample description MUST have its own TYPE 5 header. ../data/rfc/rfc4396.txt- ../data/rfc/rfc4396.txt- The U, R, and TYPE fields are used as per Section 4.1.1. ../data/rfc/rfc4396.txt- ../data/rfc/rfc4396.txt- The LEN field indicates the length of the sample description, plus ../data/rfc/rfc4396.txt: three units accounting for the SIDX and LEN field itself. Thus, this ../data/rfc/rfc4396.txt- field MUST be greater than three (0x0003). Otherwise, the unit MUST ../data/rfc/rfc4396.txt- be discarded. ../data/rfc/rfc4396.txt- ../data/rfc/rfc4396.txt- If the sample is streamed from a 3GP file, the length of the sample ../data/rfc/rfc4396.txt- description contents (i.e., what comes after SIDX in the unit itself) -- ../data/rfc/rfc5867.txt- single trade may have multiple independent teams working ../data/rfc/rfc5867.txt- simultaneously. Furthermore, the HVAC, lighting, and fire systems ../data/rfc/rfc5867.txt- must be fully operational before the building can obtain its ../data/rfc/rfc5867.txt- occupancy permit. Hence, the BMS must be in place and configured ../data/rfc/rfc5867.txt- well before any of the IT servers (DHCP; Authentication, ../data/rfc/rfc5867.txt: Authorization, and Accounting (AAA); DNS; etc.) are operational. ../data/rfc/rfc5867.txt- ../data/rfc/rfc5867.txt- ../data/rfc/rfc5867.txt- ../data/rfc/rfc5867.txt-Martocci, et al. Informational [Page 8] ../data/rfc/rfc5867.txt- -- ../data/rfc/rfc4258.txt- ../data/rfc/rfc4258.txt- Management plane: Performs management functions for the transport ../data/rfc/rfc4258.txt- plane, the control plane, and the system as a whole. It also ../data/rfc/rfc4258.txt- provides coordination between all the planes. The following ../data/rfc/rfc4258.txt- management functional areas are performed in the management plane: ../data/rfc/rfc4258.txt: performance, fault, configuration, accounting, and security ../data/rfc/rfc4258.txt- management. ../data/rfc/rfc4258.txt- ../data/rfc/rfc4258.txt- ../data/rfc/rfc4258.txt- ../data/rfc/rfc4258.txt- -- ../data/rfc/rfc1126.txt- recently installed fiber cables provide abundant communication ../data/rfc/rfc1126.txt- bandwidths, while old narrow-band channels will still be with us for ../data/rfc/rfc1126.txt- a long time period. Electronic mail traffic tolerates delivery ../data/rfc/rfc1126.txt- delays and low throughput. New image transmissions are coming up; ../data/rfc/rfc1126.txt- these require high bandwidths but are not effected by a few bit ../data/rfc/rfc1126.txt: errors. Furthermore, some networks may soon install accounting ../data/rfc/rfc1126.txt- functions to charge users, while others may still provide free ../data/rfc/rfc1126.txt- services. ../data/rfc/rfc1126.txt- ../data/rfc/rfc1126.txt- Considering the long life span of a new routing architecture, it is ../data/rfc/rfc1126.txt- mandatory that it be built with mechanisms to provide TOS routing. -- ../data/rfc/rfc6807.txt- Population Count Extensions to Protocol Independent Multicast (PIM) ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-Abstract ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- This specification defines a method for providing multicast ../data/rfc/rfc6807.txt: distribution-tree accounting data. Simple extensions to the Protocol ../data/rfc/rfc6807.txt- Independent Multicast (PIM) protocol allow a rough approximation of ../data/rfc/rfc6807.txt- tree-based data in a scalable fashion. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-Status of This Memo ../data/rfc/rfc6807.txt- -- ../data/rfc/rfc6807.txt-RFC 6807 Population Count Extensions to PIM December 2012 ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-1. Introduction ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt: This document specifies a mechanism to convey accounting information ../data/rfc/rfc6807.txt- using the Protocol Independent Multicast (PIM) protocol [RFC4601] ../data/rfc/rfc6807.txt- [RFC5015]. Putting the mechanism in PIM allows efficient ../data/rfc/rfc6807.txt: distribution and maintenance of such accounting information. ../data/rfc/rfc6807.txt- Previous mechanisms require data to be correlated from multiple ../data/rfc/rfc6807.txt- router sources. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- This mechanism allows a single router to be queried to obtain ../data/rfc/rfc6807.txt: accounting and statistic information for a multicast distribution ../data/rfc/rfc6807.txt- tree as a whole or any distribution sub-tree downstream from a ../data/rfc/rfc6807.txt- queried router. The amount of information is fixed and does not ../data/rfc/rfc6807.txt- increase as multicast membership, tree diameter, or branching ../data/rfc/rfc6807.txt- increases. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt: The sort of accounting data this specification provides, on a per- ../data/rfc/rfc6807.txt- multicast-route basis, are: ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- 1. The number of branches in a distribution tree. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- 2. The membership type of the distribution tree, that is, Source- -- ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- P flag: This flag is set by a router if all downstream routers ../data/rfc/rfc6807.txt- support this specification. That is, they are all PIM Pop- ../data/rfc/rfc6807.txt- Count capable. If a downstream router does not support this ../data/rfc/rfc6807.txt- specification, it MUST be cleared. This allows one to tell if ../data/rfc/rfc6807.txt: the entire sub-tree is completely accounting capable. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- Options Bitmap: This is a bitmap that shows which options are ../data/rfc/rfc6807.txt- present. The format of the bitmap is as follows: ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- 0 1 -- ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- It is also RECOMMENDED that join suppression be disabled on a LAN ../data/rfc/rfc6807.txt- when Pop-Count is used. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- It is RECOMMENDED that, when triggered Join/Prune messages are sent ../data/rfc/rfc6807.txt: by a downstream router, the accounting information not be included in ../data/rfc/rfc6807.txt- the message. This way, when convergence is important, avoiding the ../data/rfc/rfc6807.txt: processing time to build an accounting record in a downstream router ../data/rfc/rfc6807.txt- and processing time to parse the message in the upstream router will ../data/rfc/rfc6807.txt- help reduce convergence time. If an upstream router receives a Join/ ../data/rfc/rfc6807.txt: Prune message with no accounting data, it SHOULD NOT interpret the ../data/rfc/rfc6807.txt: message as a trigger to clear or reset the accounting data it has ../data/rfc/rfc6807.txt- cached. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-5. Implementation Approaches ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- This section offers some non-normative suggestions for how Pop-Count ../data/rfc/rfc6807.txt- may be implemented. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt: An implementation can decide how the accounting attributes are ../data/rfc/rfc6807.txt- maintained. The values can be stored as part of the multicast route ../data/rfc/rfc6807.txt- data structure by combining the local information it has with the ../data/rfc/rfc6807.txt- joined information on a per-oif basis. So, when it is time to send a ../data/rfc/rfc6807.txt- Join/Prune message, the values stored in the multicast route can be ../data/rfc/rfc6807.txt- copied to the message. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt: Or, an implementation could store the accounting values per oif and, ../data/rfc/rfc6807.txt- when a Join/Prune message is sent, it can combine the oifs with its ../data/rfc/rfc6807.txt- local information. Then, the combined information can be copied to ../data/rfc/rfc6807.txt- the message. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- -- ../data/rfc/rfc6807.txt-Farinacci, et al. Experimental [Page 12] ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-RFC 6807 Population Count Extensions to PIM December 2012 ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt: When a downstream joiner stops joining, accounting values cached must ../data/rfc/rfc6807.txt- be evaluated. There are two approaches that can be taken. One is to ../data/rfc/rfc6807.txt- keep values learned from each joiner, so when the joiner goes away, ../data/rfc/rfc6807.txt- the count/max/min values are known and the combined value can be ../data/rfc/rfc6807.txt- adjusted. The other approach is to set the value to 0 for the oif, ../data/rfc/rfc6807.txt- and then start accumulating new values as subsequent Joins are -- ../data/rfc/rfc6807.txt- the route). ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-6. Caveats ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- This specification requires each router on a multicast distribution ../data/rfc/rfc6807.txt: tree to support this specification or else the accounting attributes ../data/rfc/rfc6807.txt- for the tree will not be known. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- However, if there is a contiguous set of routers downstream in the ../data/rfc/rfc6807.txt: distribution tree, they can maintain accounting information for the ../data/rfc/rfc6807.txt- sub-tree. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- If there is a set of contiguous routers supporting this specification ../data/rfc/rfc6807.txt: upstream on the multicast distribution tree, accounting information ../data/rfc/rfc6807.txt- will be available, but it will not represent an accurate assessment ../data/rfc/rfc6807.txt- of the entire tree. Also, it will not be clear how much of the ../data/rfc/rfc6807.txt: distribution tree the accounting information covers. ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt-7. IANA Considerations ../data/rfc/rfc6807.txt- ../data/rfc/rfc6807.txt- A new PIM-Hello Option type, 29, has been assigned by IANA. Although ../data/rfc/rfc6807.txt- the length is specified as 0 in this specification, non-zero length -- ../data/rfc/rfc8192.txt-RFC 8192 I2NSF Problem Statement & Use Cases July 2017 ../data/rfc/rfc8192.txt- ../data/rfc/rfc8192.txt- ../data/rfc/rfc8192.txt-2. Terminology ../data/rfc/rfc8192.txt- ../data/rfc/rfc8192.txt: AAA: Authentication, Authorization, and Accounting [RFC2904] ../data/rfc/rfc8192.txt- ../data/rfc/rfc8192.txt- ACL: Access Control List ../data/rfc/rfc8192.txt- ../data/rfc/rfc8192.txt- Bespoke security management: Security management that is made to fit ../data/rfc/rfc8192.txt- a particular customer. -- ../data/rfc/rfc105.txt-II - Remote Job Output Retrieval (RJOR) ../data/rfc/rfc105.txt- ../data/rfc/rfc105.txt- Class A SYSOUT output from jobs submitted through RJE for batch ../data/rfc/rfc105.txt-processing at UCSB may be obtained by contacting socket x'300', site 3, ../data/rfc/rfc105.txt-provided that when the job was submitted, the character 'T' appeared as ../data/rfc/rfc105.txt:the eighth positional accounting parameter on the job card. Output is ../data/rfc/rfc105.txt-retrieved upon request and relayed to the Network user by a process ../data/rfc/rfc105.txt-hereafter called RJOR which is addressed as socket x'300'. RJOR can be ../data/rfc/rfc105.txt-invoked through the Logger. This section is intended to provide ../data/rfc/rfc105.txt-programmers with the information necessary to communicate with RJOR. ../data/rfc/rfc105.txt- -- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt-Abstract ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- This document specifies additional IPv6 RADIUS Attributes useful in ../data/rfc/rfc6911.txt- residential broadband network deployments. The Attributes, which are ../data/rfc/rfc6911.txt: used for authorization and accounting, enable assignment of a host ../data/rfc/rfc6911.txt- IPv6 address and an IPv6 DNS server address via DHCPv6, assignment of ../data/rfc/rfc6911.txt- an IPv6 route announced via router advertisement, assignment of a ../data/rfc/rfc6911.txt- named IPv6 delegated prefix pool, and assignment of a named IPv6 pool ../data/rfc/rfc6911.txt- for host DHCPv6 addressing. ../data/rfc/rfc6911.txt- -- ../data/rfc/rfc6911.txt- a wide variety of network access scenarios in which RADIUS is ../data/rfc/rfc6911.txt- involved. One such typical network scenario is illustrated in Figure ../data/rfc/rfc6911.txt- 1. It is composed of an IP Routing Residential Gateway (RG) or host; ../data/rfc/rfc6911.txt- a Layer 2 Access Node (AN), e.g., a Digital Subscriber Line Access ../data/rfc/rfc6911.txt- Multiplexer (DSLAM); an IP Network Access Server (NAS) (incorporating ../data/rfc/rfc6911.txt: an Authentication, Authorization, and Accounting (AAA) client); and a ../data/rfc/rfc6911.txt- AAA server. ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- -- ../data/rfc/rfc6911.txt- Figure 1 ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- In the depicted scenario, the NAS may utilize an IP address ../data/rfc/rfc6911.txt- configuration protocol (e.g., DHCPv6) to handle address assignment to ../data/rfc/rfc6911.txt- RGs/hosts. The RADIUS server authenticates each RG/host and returns ../data/rfc/rfc6911.txt: the Attributes used for authorization and accounting. These ../data/rfc/rfc6911.txt- Attributes can include a host's IPv6 address, a DNS server address, ../data/rfc/rfc6911.txt- and a set of IPv6 routes to be advertised via any suitable protocol, ../data/rfc/rfc6911.txt- e.g., ICMPv6 (Neighbor Discovery). The name of a prefix pool to be ../data/rfc/rfc6911.txt- used for DHCPv6 Prefix Delegation or the name of an address pool to ../data/rfc/rfc6911.txt- be used for DHCPv6 address assignment can also be Attributes provided -- ../data/rfc/rfc6911.txt- While [RFC3162] permits the specification of an IPv6 address via the ../data/rfc/rfc6911.txt- combination of the Framed-Interface-Id and Framed-IPv6-Prefix ../data/rfc/rfc6911.txt- Attributes, this separation is more natural for use with PPP's IPv6 ../data/rfc/rfc6911.txt- Control Protocol than it is for use with DHCPv6, and the use of a ../data/rfc/rfc6911.txt- single IPv6 address Attribute makes for easier processing of ../data/rfc/rfc6911.txt: accounting records. ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- -- ../data/rfc/rfc6911.txt- that the NAS will require both stateful and stateless configuration ../data/rfc/rfc6911.txt- information. Therefore, it is possible for the Framed-IPv6-Address, ../data/rfc/rfc6911.txt- Framed-IPv6-Prefix, and Framed-Interface-Id Attributes [RFC3162] to ../data/rfc/rfc6911.txt- be included within the same packet. To avoid ambiguity in this case, ../data/rfc/rfc6911.txt- the Framed-IPv6-Address Attribute is intended for authorization and ../data/rfc/rfc6911.txt: accounting of DHCPv6-assigned addresses, and the Framed-IPv6-Prefix ../data/rfc/rfc6911.txt- and Framed-Interface-Id Attributes are used for authorization and ../data/rfc/rfc6911.txt: accounting of addresses assigned via SLAAC. ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt-2.2. DNS Servers ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- DHCPv6 provides an option for configuring a host with the IPv6 ../data/rfc/rfc6911.txt- address of a DNS server. The IPv6 address of a DNS server can also -- ../data/rfc/rfc6911.txt- Because DHCPv6 Prefix Delegation can be used with SLAAC on the same ../data/rfc/rfc6911.txt- network, it is possible for the Delegated-IPv6-Prefix-Pool and ../data/rfc/rfc6911.txt- Framed-IPv6-Pool Attributes to be included within the same packet. ../data/rfc/rfc6911.txt- To avoid ambiguity in this scenario, use of the Delegated-IPv6- ../data/rfc/rfc6911.txt- Prefix-Pool Attribute should be restricted to authorization and ../data/rfc/rfc6911.txt: accounting of prefix pools used in DHCPv6 Prefix Delegation, and the ../data/rfc/rfc6911.txt- Framed-IPv6-Pool Attribute should be used for authorization and ../data/rfc/rfc6911.txt: accounting of prefix pools used in SLAAC. ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt-2.5. Stateful IPv6 Address Pool ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- DHCPv6 [RFC3315] provides a mechanism to assign one or more non- ../data/rfc/rfc6911.txt- temporary IPv6 addresses to hosts. Section 3.1 introduces the -- ../data/rfc/rfc6911.txt- the clients. An alternative way to achieve a similar result is for ../data/rfc/rfc6911.txt- the NAS to select the IPv6 address to be assigned from an address ../data/rfc/rfc6911.txt- pool configured for this purpose on the NAS. This document specifies ../data/rfc/rfc6911.txt- the Stateful-IPv6-Address-Pool Attribute (Section 3.5) to allow the ../data/rfc/rfc6911.txt- RADIUS server to convey a pool name to be used for such stateful ../data/rfc/rfc6911.txt: DHCPv6-based addressing and for any subsequent accounting. ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt-3. Attributes ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- The fields shown in the diagrams below are transmitted from left to ../data/rfc/rfc6911.txt- right. -- ../data/rfc/rfc6911.txt-Dec, et al. Standards Track [Page 11] ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt-RFC 6911 RADIUS IPv6 Access April 2013 ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt- ../data/rfc/rfc6911.txt: Request Accept Reject Challenge Accounting # Attribute ../data/rfc/rfc6911.txt- Request ../data/rfc/rfc6911.txt- 0+ 0+ 0 0 0+ 168 Framed-IPv6-Address ../data/rfc/rfc6911.txt- 0+ 0+ 0 0 0+ 169 DNS-Server-IPv6-Address ../data/rfc/rfc6911.txt- 0+ 0+ 0 0 0+ 170 Route-IPv6-Information ../data/rfc/rfc6911.txt- 0+ 0+ 0 0 0+ 171 Delegated-IPv6-Prefix-Pool -- ../data/rfc/rfc3289.txt- should have a corresponding counter. In early versions, it was ../data/rfc/rfc3289.txt- impossible to configure an action without implementing a counter, ../data/rfc/rfc3289.txt- although the current design makes them in effect the network ../data/rfc/rfc3289.txt- manager's option, as a result of making actions consistent in ../data/rfc/rfc3289.txt- structure and extensibility. The assurance of proper debugging and ../data/rfc/rfc3289.txt: accounting is therefore left with the policy designer. ../data/rfc/rfc3289.txt- ../data/rfc/rfc3289.txt- When the MIB is used for configuration, diffServCountActNextFree ../data/rfc/rfc3289.txt- always contains a legal value for diffServCountActId that is not ../data/rfc/rfc3289.txt- currently used in the system's configuration. ../data/rfc/rfc3289.txt- -- ../data/rfc/rfc4137.txt-Abstract ../data/rfc/rfc4137.txt- ../data/rfc/rfc4137.txt- This document describes a set of state machines for Extensible ../data/rfc/rfc4137.txt- Authentication Protocol (EAP) peer, EAP stand-alone authenticator ../data/rfc/rfc4137.txt- (non-pass-through), EAP backend authenticator (for use on ../data/rfc/rfc4137.txt: Authentication, Authorization, and Accounting (AAA) servers), and EAP ../data/rfc/rfc4137.txt- full authenticator (for both local and pass-through). This set of ../data/rfc/rfc4137.txt- state machines shows how EAP can be implemented to support deployment ../data/rfc/rfc4137.txt- in either a peer/authenticator or peer/authenticator/AAA Server ../data/rfc/rfc4137.txt- environment. The peer and stand-alone authenticator machines are ../data/rfc/rfc4137.txt- illustrative of how the EAP protocol defined in RFC 3748 may be -- ../data/rfc/rfc1068.txt- ../data/rfc/rfc1068.txt- o Deferred Delivery ../data/rfc/rfc1068.txt- ../data/rfc/rfc1068.txt- The user may wish to defer a large transfer until an off-peak ../data/rfc/rfc1068.txt- period. This may become important when parts of the Internet ../data/rfc/rfc1068.txt: adopt accounting and traffic-based cost-recovery mechanisms. ../data/rfc/rfc1068.txt- ../data/rfc/rfc1068.txt- ../data/rfc/rfc1068.txt- There is a serious human-engineering problem with background file ../data/rfc/rfc1068.txt- transfer: if the user makes a mistake in entering parameters, this ../data/rfc/rfc1068.txt- mistake may not become apparent until much later. This can be the -- ../data/rfc/rfc874.txt- 1-3. ("Loose constructionists" of the ISORM would hold that X.25 ../data/rfc/rfc874.txt- is a mechanization of L1-L3 rather than the mechanization, and at ../data/rfc/rfc874.txt- least one British source holds that "we in the U.K. don't believe ../data/rfc/rfc874.txt- that ISO have adopted X.25.") In the U.S. Government arena, ../data/rfc/rfc874.txt- where the author spends much of his time, the Government ../data/rfc/rfc874.txt: Accounting Office (GAO) has suggested that the Department of ../data/rfc/rfc874.txt- Defense (DoD) ought to consider adopting "X.25 networks," ../data/rfc/rfc874.txt- apparently in preference to networks based on protocols developed ../data/rfc/rfc874.txt- by the DoD-sponsored intercomputer networking research community. ../data/rfc/rfc874.txt- That intercomputer networking research community in turn has, ../data/rfc/rfc874.txt- with a few recent exceptions, adhered to its commitment to the -- ../data/rfc/rfc4067.txt- ../data/rfc/rfc4067.txt- [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC ../data/rfc/rfc4067.txt- 2631, June 1999. ../data/rfc/rfc4067.txt- ../data/rfc/rfc4067.txt- [PerkCal04] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc4067.txt: Authorization, and Accounting (AAA) Registration Keys for ../data/rfc/rfc4067.txt- Mobile IPv4", RFC 3957, March 2005. ../data/rfc/rfc4067.txt- ../data/rfc/rfc4067.txt- [MIPv6] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support ../data/rfc/rfc4067.txt- in IPv6", RFC 3775, June 2004. ../data/rfc/rfc4067.txt- -- ../data/rfc/rfc4067.txt- ../data/rfc/rfc4067.txt-Appendix B. Multicast Listener Context Transfer ../data/rfc/rfc4067.txt- ../data/rfc/rfc4067.txt- In the past, credible proposals have been made in the Seamoby Working ../data/rfc/rfc4067.txt- Group and elsewhere for using context transfer to the speed of ../data/rfc/rfc4067.txt: handover of authentication, authorization, and accounting context, ../data/rfc/rfc4067.txt- distributed firewall context, PPP context, and header compression ../data/rfc/rfc4067.txt- context. Because the Working Group was not chartered to develop ../data/rfc/rfc4067.txt- context profile definitions for specific applications, none of the ../data/rfc/rfc4067.txt- documents submitted to Seamoby were accepted as Working Group items. ../data/rfc/rfc4067.txt- At this time, work to develop a context profile definition for RFC -- ../data/rfc/rfc2789.txt- won't be accepted, etc.) vary widely from one MTA to the ../data/rfc/rfc2789.txt- next and cannot be inferred from this variable." ../data/rfc/rfc2789.txt- ::= {mtaEntry 12} ../data/rfc/rfc2789.txt- ../data/rfc/rfc2789.txt- -- MTAs typically group inbound reception, queue storage, and ../data/rfc/rfc2789.txt: -- outbound transmission in some way, rather than accounting for ../data/rfc/rfc2789.txt- -- such operations only across the MTA as a whole. In the most ../data/rfc/rfc2789.txt- -- extreme case separate information will be maintained for each ../data/rfc/rfc2789.txt- -- different entity that receives messages and for each entity ../data/rfc/rfc2789.txt- -- the MTA stores messages for and delivers messages to. Other ../data/rfc/rfc2789.txt- -- MTAs may elect to treat all reception equally, all queue -- ../data/rfc/rfc4590.txt- authenticate itself to a proxy server. Digest Authentication is used ../data/rfc/rfc4590.txt- in other protocols as well. ../data/rfc/rfc4590.txt- ../data/rfc/rfc4590.txt- To simplify the provisioning of users, there is a need to support ../data/rfc/rfc4590.txt- this authentication mechanism within Authentication, Authorization, ../data/rfc/rfc4590.txt: and Accounting (AAA) protocols such as RADIUS [RFC2865] and Diameter ../data/rfc/rfc4590.txt- [RFC3588]. ../data/rfc/rfc4590.txt- ../data/rfc/rfc4590.txt- ../data/rfc/rfc4590.txt- ../data/rfc/rfc4590.txt- -- ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt- The BRAS terminates the PPP sessions and provides the subscriber with ../data/rfc/rfc4779.txt- an IPv6 address from the defined pool for that profile. The ../data/rfc/rfc4779.txt- subscriber profile for authorization and authentication can be ../data/rfc/rfc4779.txt- located on the BRAS or on an Authentication, Authorization, and ../data/rfc/rfc4779.txt: Accounting (AAA) server. The Hosts or the Customer Routers have the ../data/rfc/rfc4779.txt- BRAS as their Layer 3 next hop. ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt- -- ../data/rfc/rfc4779.txt- requests coming from subscribers without CPRs. It has to be enabled ../data/rfc/rfc4779.txt- for PIM-SSM in order to receive joins/leaves from customer routers ../data/rfc/rfc4779.txt- and send joins/leaves to the next hop towards the multicast source ../data/rfc/rfc4779.txt- (Edge Router or the NSP core). ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt: MLD authentication, authorization and accounting are usually ../data/rfc/rfc4779.txt- configured on the Edge Router in order to enable the ISP to control ../data/rfc/rfc4779.txt- the subscriber access of the service and do billing for the content ../data/rfc/rfc4779.txt- provided. Alternative mechanisms that would support these functions ../data/rfc/rfc4779.txt- should be investigated further. ../data/rfc/rfc4779.txt- -- ../data/rfc/rfc4779.txt- requests coming from subscribers without CPRs. It has to be enabled ../data/rfc/rfc4779.txt- for PIM-SSM in order to receive joins/leaves from customer routers ../data/rfc/rfc4779.txt- and send joins/leaves to the next hop towards the multicast source ../data/rfc/rfc4779.txt- (Edge Router or the NSP core). ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt: MLD authentication, authorization, and accounting are usually ../data/rfc/rfc4779.txt- configured on the edge router in order to enable the ISP to control ../data/rfc/rfc4779.txt- the subscriber access of the service and do billing for the content ../data/rfc/rfc4779.txt- provided. Alternative mechanisms that would support these functions ../data/rfc/rfc4779.txt- should be investigated further. ../data/rfc/rfc4779.txt- -- ../data/rfc/rfc4779.txt- to process the requests coming from the IPv6 WLAN Host or WLAN/Access ../data/rfc/rfc4779.txt- Router (if present). The Edge Router has also needs to be enabled ../data/rfc/rfc4779.txt- for PIM-SSM in order to receive joins from IPv6 WLAN Hosts or WLAN/ ../data/rfc/rfc4779.txt- Access Router (if present), and send joins towards the SP core. ../data/rfc/rfc4779.txt- ../data/rfc/rfc4779.txt: MLD authentication, authorization, and accounting are usually ../data/rfc/rfc4779.txt- configured on the Edge Router in order to enable the SP to do billing ../data/rfc/rfc4779.txt- for the content services provided. Further investigation should be ../data/rfc/rfc4779.txt- made in finding alternative mechanisms that would support these ../data/rfc/rfc4779.txt- functions. ../data/rfc/rfc4779.txt- -- ../data/rfc/rfc2805.txt- 5.2. Connection Requirements .............................. 7 ../data/rfc/rfc2805.txt- 5.3. Media Transformations ................................ 8 ../data/rfc/rfc2805.txt- 5.4. Signal/Event Processing and Scripting ................ 9 ../data/rfc/rfc2805.txt- 5.5. QoS/CoS .............................................. 10 ../data/rfc/rfc2805.txt- 5.6. Test Support ......................................... 11 ../data/rfc/rfc2805.txt: 5.7. Accounting ........................................... 11 ../data/rfc/rfc2805.txt- 5.8. Signalling Control ................................... 11 ../data/rfc/rfc2805.txt- 6. Resource Control .......................................... 12 ../data/rfc/rfc2805.txt- 6.1. Resource Status Management ........................... 12 ../data/rfc/rfc2805.txt- 6.2. Resource Assignment .................................. 13 ../data/rfc/rfc2805.txt- 7. Operational/Management Requirements ....................... 13 -- ../data/rfc/rfc2805.txt- for both the originating and terminating ends of the circuit ../data/rfc/rfc2805.txt- connection (2-wire and 4- wire). ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt- b. Specifically support test line operation (e.g. 103, 105, 108). ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt:5.7. Accounting ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt- The protocol must: ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt- a. Support a common identifier to mark resources related to one ../data/rfc/rfc2805.txt- connection. ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt: b. Support collection of specified accounting information from MGs. ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt- c. Provide the mechanism for the MGC to specify that the MG report ../data/rfc/rfc2805.txt: accounting information automatically at end of call, in mid-call ../data/rfc/rfc2805.txt- upon request, at specific time intervals as specified by the MGC ../data/rfc/rfc2805.txt- and at unit usage thresholds as specified by the MGC. ../data/rfc/rfc2805.txt- ../data/rfc/rfc2805.txt- d. Specifically support collection of: ../data/rfc/rfc2805.txt- -- ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt-Abstract ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- Establishing multimedia streams must take into account requirements ../data/rfc/rfc3521.txt- for end-to-end QoS, authorization of network resource usage and ../data/rfc/rfc3521.txt: accurate accounting for resources used. During session set up, ../data/rfc/rfc3521.txt- policies may be enforced to ensure that the media streams being ../data/rfc/rfc3521.txt- requested lie within the bounds of the service profile established ../data/rfc/rfc3521.txt- for the requesting host. Similarly, when a host requests resources ../data/rfc/rfc3521.txt- to provide a certain QoS for a packet flow, policies may be enforced ../data/rfc/rfc3521.txt- to ensure that the required resources lie within the bounds of the -- ../data/rfc/rfc3521.txt- speed up session setup and still ensure proper authorization is ../data/rfc/rfc3521.txt- performed. ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- This model does not preclude the possibility that the policy servers ../data/rfc/rfc3521.txt- may communicate at other times for other purposes (e.g., exchange of ../data/rfc/rfc3521.txt: accounting information). ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- ../data/rfc/rfc3521.txt- -- ../data/rfc/rfc6983.txt- As stated in [RFC6707], the CDNI Logging interface enables details of ../data/rfc/rfc6983.txt- logs or events to be exchanged between interconnected CDNs. ../data/rfc/rfc6983.txt- ../data/rfc/rfc6983.txt- As discussed in [CDNI-LOGGING], the CDNI logging information can be ../data/rfc/rfc6983.txt- used for multiple purposes, including maintenance/debugging by a ../data/rfc/rfc6983.txt: uCDN, accounting (e.g., for billing or settlement purposes), ../data/rfc/rfc6983.txt- reporting and management of end-user experience (e.g., to the CSP), ../data/rfc/rfc6983.txt- analytics (e.g., by the CSP), and control of content distribution ../data/rfc/rfc6983.txt- policy enforcement (e.g., by the CSP). ../data/rfc/rfc6983.txt- ../data/rfc/rfc6983.txt- The key consideration for HAS with respect to logging is the -- ../data/rfc/rfc6983.txt- f. (Where needed) Logging re-reformatting (e.g., reformatting from ../data/rfc/rfc6983.txt- the CDNI Logging interface format into a log-consuming ../data/rfc/rfc6983.txt- application) ../data/rfc/rfc6983.txt- ../data/rfc/rfc6983.txt- g. Logging consumption/processing (e.g., feed logs into uCDN ../data/rfc/rfc6983.txt: accounting application, feed logs into uCDN reporting system to ../data/rfc/rfc6983.txt- provide per-CSP views, feed logs into debugging tools) ../data/rfc/rfc6983.txt- ../data/rfc/rfc6983.txt- Note that there may be multiple instances of steps [f] and [g] ../data/rfc/rfc6983.txt- running in parallel. ../data/rfc/rfc6983.txt- -- ../data/rfc/rfc8881.txt- The replier compares each received request's sequence ID with the ../data/rfc/rfc8881.txt- last one previously received for that slot ID, to see if the new ../data/rfc/rfc8881.txt- request is: ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * A new request, in which the sequence ID is one greater than that ../data/rfc/rfc8881.txt: previously seen in the slot (accounting for sequence wraparound). ../data/rfc/rfc8881.txt- The replier proceeds to execute the new request, and the replier ../data/rfc/rfc8881.txt- MUST increase the slot's sequence ID by one. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * A retransmitted request, in which the sequence ID is equal to that ../data/rfc/rfc8881.txt- currently recorded in the slot. If the original request has ../data/rfc/rfc8881.txt- executed to completion, the replier returns the cached reply. See ../data/rfc/rfc8881.txt- Section 2.10.6.2 for direction on how the replier deals with ../data/rfc/rfc8881.txt- retries of requests that are still in progress. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * A misordered retry, in which the sequence ID is less than ../data/rfc/rfc8881.txt: (accounting for sequence wraparound) that previously seen in the ../data/rfc/rfc8881.txt- slot. The replier MUST return NFS4ERR_SEQ_MISORDERED (as the ../data/rfc/rfc8881.txt- result from SEQUENCE or CB_SEQUENCE). ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * A misordered new request, in which the sequence ID is two or more ../data/rfc/rfc8881.txt: than (accounting for sequence wraparound) that previously seen in ../data/rfc/rfc8881.txt- the slot. Note that because the sequence ID MUST wrap around to ../data/rfc/rfc8881.txt- zero once it reaches 0xFFFFFFFF, a misordered new request and a ../data/rfc/rfc8881.txt- misordered retry cannot be distinguished. Thus, the replier MUST ../data/rfc/rfc8881.txt- return NFS4ERR_SEQ_MISORDERED (as the result from SEQUENCE or ../data/rfc/rfc8881.txt- CB_SEQUENCE). -- ../data/rfc/rfc8881.txt- With delegations, a client is able to avoid writing data to the ../data/rfc/rfc8881.txt- server when the CLOSE of a file is serviced. The file close system ../data/rfc/rfc8881.txt- call is the usual point at which the client is notified of a lack of ../data/rfc/rfc8881.txt- stable storage for the modified file data generated by the ../data/rfc/rfc8881.txt- application. At the close, file data is written to the server and, ../data/rfc/rfc8881.txt: through normal accounting, the server is able to determine if the ../data/rfc/rfc8881.txt- available file system space for the data has been exceeded (i.e., the ../data/rfc/rfc8881.txt: server returns NFS4ERR_NOSPC or NFS4ERR_DQUOT). This accounting ../data/rfc/rfc8881.txt- includes quotas. The introduction of delegations requires that an ../data/rfc/rfc8881.txt- alternative method be in place for the same type of communication to ../data/rfc/rfc8881.txt- occur between client and server. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- In the delegation response, the server provides either the limit of -- ../data/rfc/rfc8881.txt- (ca_maxoperations(i) - 1), where N is the number of session fore ../data/rfc/rfc8881.txt- channels and ca_maxoperations(i) is the value of the ca_maxoperations ../data/rfc/rfc8881.txt- returned from CREATE_SESSION of the i'th session. The reason for "- ../data/rfc/rfc8881.txt- 1" is to allow for the required SEQUENCE operation. The server MAY ../data/rfc/rfc8881.txt- support a VALID_SEQID_RANGE value larger than the minimum. The ../data/rfc/rfc8881.txt: maximum VALID_SEQID_RANGE is (2^(32) - 2) (accounting for zero not ../data/rfc/rfc8881.txt- being a valid "seqid" value). ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- If the server finds the "seqid" is zero, the NFS4ERR_BAD_STATEID ../data/rfc/rfc8881.txt- error is returned to the client. The server further validates the ../data/rfc/rfc8881.txt- "seqid" to ensure it is within the range of parallelism, -- ../data/rfc/rfc8881.txt- * that between different named attribute directories or between a ../data/rfc/rfc8881.txt- named attribute directory and an ordinary directory. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * that between byte-ranges of a file system that the file system ../data/rfc/rfc8881.txt- implementation treats as separate (for example, for space ../data/rfc/rfc8881.txt: accounting purposes), and where cross-connection between the byte- ../data/rfc/rfc8881.txt- ranges are not allowed. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt-15.1.5. State Management Errors ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- These errors indicate problems with the stateid (or one of the -- ../data/rfc/rfc8881.txt- The server expects value of csa_sequenceid in the arguments to that ../data/rfc/rfc8881.txt- CREATE_SESSION to be to equal the value of the field eir_sequenceid ../data/rfc/rfc8881.txt- that was returned in results of the EXCHANGE_ID that returned the ../data/rfc/rfc8881.txt- unconfirmed client ID. Before the server replies to that EXCHANGE_ID ../data/rfc/rfc8881.txt- operation, it initializes the client ID slot to be equal to ../data/rfc/rfc8881.txt: eir_sequenceid - 1 (accounting for underflow), and records a ../data/rfc/rfc8881.txt- contrived CREATE_SESSION result with a "cached" result of ../data/rfc/rfc8881.txt- NFS4ERR_SEQ_MISORDERED. With the client ID slot thus initialized, ../data/rfc/rfc8881.txt- the processing of the CREATE_SESSION operation is divided into four ../data/rfc/rfc8881.txt- phases: ../data/rfc/rfc8881.txt- -- ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- 2. Sequence ID processing. If csa_sequenceid is equal to the ../data/rfc/rfc8881.txt- sequence ID in the client ID's slot, then this is a replay of the ../data/rfc/rfc8881.txt- previous CREATE_SESSION request, and the server returns the ../data/rfc/rfc8881.txt- cached result. If csa_sequenceid is not equal to the sequence ID ../data/rfc/rfc8881.txt: in the slot, and is more than one greater (accounting for ../data/rfc/rfc8881.txt- wraparound), then the server returns the error ../data/rfc/rfc8881.txt- NFS4ERR_SEQ_MISORDERED, and does not change the slot. If ../data/rfc/rfc8881.txt: csa_sequenceid is equal to the slot's sequence ID + 1 (accounting ../data/rfc/rfc8881.txt- for wraparound), then the slot's sequence ID is set to ../data/rfc/rfc8881.txt- csa_sequenceid, and the CREATE_SESSION processing goes to the ../data/rfc/rfc8881.txt- next phase. A subsequent new CREATE_SESSION call over the same ../data/rfc/rfc8881.txt- client ID MUST use a csa_sequenceid that is one greater than the ../data/rfc/rfc8881.txt- sequence ID in the slot. -- ../data/rfc/rfc8881.txt- The value of the sa_sequenceid argument relative to the cached ../data/rfc/rfc8881.txt- sequence ID on the slot falls into one of three cases. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * If the difference between sa_sequenceid and the server's cached ../data/rfc/rfc8881.txt- sequence ID at the slot ID is two (2) or more, or if sa_sequenceid ../data/rfc/rfc8881.txt: is less than the cached sequence ID (accounting for wraparound of ../data/rfc/rfc8881.txt- the unsigned sequence ID value), then the server MUST return ../data/rfc/rfc8881.txt- NFS4ERR_SEQ_MISORDERED. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * If sa_sequenceid and the cached sequence ID are the same, this is ../data/rfc/rfc8881.txt- a retry, and the server replies with what is recorded in the reply ../data/rfc/rfc8881.txt- cache. The lease is possibly renewed as described below. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt: * If sa_sequenceid is one greater (accounting for wraparound) than ../data/rfc/rfc8881.txt- the cached sequence ID, then this is a new request, and the slot's ../data/rfc/rfc8881.txt- sequence ID is incremented. The operations subsequent to ../data/rfc/rfc8881.txt- SEQUENCE, if any, are processed. If there are no other ../data/rfc/rfc8881.txt- operations, the only other effects are to cache the SEQUENCE reply ../data/rfc/rfc8881.txt- in the slot, maintain the session's activity, and possibly renew -- ../data/rfc/rfc8881.txt- void; ../data/rfc/rfc8881.txt- }; ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt-20.9.3. DESCRIPTION ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt: The CB_SEQUENCE operation is used to manage operational accounting ../data/rfc/rfc8881.txt- for the backchannel of the session on which a request is sent. The ../data/rfc/rfc8881.txt- contents include the session ID to which this request belongs, the ../data/rfc/rfc8881.txt- slot ID and sequence ID used by the server to implement session ../data/rfc/rfc8881.txt- request control and exactly once semantics, and exchanged slot ID ../data/rfc/rfc8881.txt- maxima that are used to adjust the size of the reply cache. In each -- ../data/rfc/rfc8881.txt- The value of the csa_sequenceid argument relative to the cached ../data/rfc/rfc8881.txt- sequence ID on the slot falls into one of three cases. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * If the difference between csa_sequenceid and the client's cached ../data/rfc/rfc8881.txt- sequence ID at the slot ID is two (2) or more, or if ../data/rfc/rfc8881.txt: csa_sequenceid is less than the cached sequence ID (accounting for ../data/rfc/rfc8881.txt- wraparound of the unsigned sequence ID value), then the client ../data/rfc/rfc8881.txt- MUST return NFS4ERR_SEQ_MISORDERED. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt- * If csa_sequenceid and the cached sequence ID are the same, this is ../data/rfc/rfc8881.txt- a retry, and the client returns the CB_COMPOUND request's cached ../data/rfc/rfc8881.txt- reply. ../data/rfc/rfc8881.txt- ../data/rfc/rfc8881.txt: * If csa_sequenceid is one greater (accounting for wraparound) than ../data/rfc/rfc8881.txt- the cached sequence ID, then this is a new request, and the slot's ../data/rfc/rfc8881.txt- sequence ID is incremented. The operations subsequent to ../data/rfc/rfc8881.txt- CB_SEQUENCE, if any, are processed. If there are no other ../data/rfc/rfc8881.txt- operations, the only other effects are to cache the CB_SEQUENCE ../data/rfc/rfc8881.txt- reply in the slot, maintain the session's activity, and when the -- ../data/rfc/rfc4580.txt- customers connect through different paths, and as network changes ../data/rfc/rfc4580.txt- occur. ../data/rfc/rfc4580.txt- ../data/rfc/rfc4580.txt- The subscriber-id information allows the service provider to assign/ ../data/rfc/rfc4580.txt- activate subscriber-specific actions; e.g., assignment of specific IP ../data/rfc/rfc4580.txt: addresses, prefixes, DNS configuration, trigger accounting, etc. ../data/rfc/rfc4580.txt- This option is de-coupled from the access network's physical ../data/rfc/rfc4580.txt- structure, so a subscriber that moves from one access-point to ../data/rfc/rfc4580.txt- another, for example, would not require reconfiguration at the ../data/rfc/rfc4580.txt- service provider's DHCPv6 servers. ../data/rfc/rfc4580.txt- -- ../data/rfc/rfc7423.txt- 5.5. Session-Id AVP and Session Management . . . . . . . . . . 14 ../data/rfc/rfc7423.txt- 5.6. Use of Enumerated Type AVPs . . . . . . . . . . . . . . . 15 ../data/rfc/rfc7423.txt- 5.7. Application-Specific Message Routing . . . . . . . . . . 17 ../data/rfc/rfc7423.txt- 5.8. Translation Agents . . . . . . . . . . . . . . . . . . . 18 ../data/rfc/rfc7423.txt- 5.9. End-to-End Application Capabilities Exchange . . . . . . 18 ../data/rfc/rfc7423.txt: 5.10. Diameter Accounting Support . . . . . . . . . . . . . . . 19 ../data/rfc/rfc7423.txt- 5.11. Diameter Security Mechanisms . . . . . . . . . . . . . . 21 ../data/rfc/rfc7423.txt- 6. Defining Generic Diameter Extensions . . . . . . . . . . . . 21 ../data/rfc/rfc7423.txt- 7. Guidelines for Registrations of Diameter Values . . . . . . . 23 ../data/rfc/rfc7423.txt- 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 ../data/rfc/rfc7423.txt- 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 -- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-1. Introduction ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- The Diameter base protocol [RFC6733] is intended to provide an ../data/rfc/rfc7423.txt: Authentication, Authorization, and Accounting (AAA) framework for ../data/rfc/rfc7423.txt- applications such as network access or IP mobility in both local and ../data/rfc/rfc7423.txt- roaming situations. This protocol provides the ability for Diameter ../data/rfc/rfc7423.txt- peers to exchange messages carrying data in the form of Attribute- ../data/rfc/rfc7423.txt- Value Pairs (AVPs). ../data/rfc/rfc7423.txt- -- ../data/rfc/rfc7423.txt- This model is in line with a Diameter node having an application ../data/rfc/rfc7423.txt- layer and a peer-to-peer delivery layer. The Diameter base protocol ../data/rfc/rfc7423.txt- document defines the architecture and behavior of the message ../data/rfc/rfc7423.txt- delivery layer and then provides the framework for designing Diameter ../data/rfc/rfc7423.txt- applications on the application layer. This framework includes ../data/rfc/rfc7423.txt: definitions of application sessions and accounting support (see ../data/rfc/rfc7423.txt- Sections 8 and 9 of [RFC6733]). Accordingly, a Diameter node is seen ../data/rfc/rfc7423.txt- in this document as a single instance of a Diameter message delivery ../data/rfc/rfc7423.txt- layer and one or more Diameter applications using it. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- The Diameter base protocol is designed to be extensible and the -- ../data/rfc/rfc7423.txt- (EAP) application [RFC4072] and the Diameter Network Access Server ../data/rfc/rfc7423.txt- application [RFC7155]. When network access authentication using EAP ../data/rfc/rfc7423.txt- is required, the Diameter EAP commands (Diameter-EAP-Request/ ../data/rfc/rfc7423.txt- Diameter-EAP-Answer) are used; otherwise, the Diameter Network Access ../data/rfc/rfc7423.txt- Server application will be used. When the Diameter EAP application ../data/rfc/rfc7423.txt: is used, the accounting exchanges defined in the Diameter Network ../data/rfc/rfc7423.txt- Access Server may be used. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- However, in general, it is difficult to come to a hard guideline, and ../data/rfc/rfc7423.txt- so a case-by-case study of each application requirement should be ../data/rfc/rfc7423.txt- applied. Before adding or importing a command, application designers -- ../data/rfc/rfc7423.txt- defined for the IP Multimedia Subsystem of 3GPP, e.g., Cx/Dx ../data/rfc/rfc7423.txt- ([TS29.228] and [TS29.229]), Sh ([TS29.328] and [TS29.329]), etc. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- Application designers SHOULD try to import existing AVPs and AVP ../data/rfc/rfc7423.txt- values for any newly defined commands. In certain cases where ../data/rfc/rfc7423.txt: accounting will be used, the models described in Section 5.10 SHOULD ../data/rfc/rfc7423.txt- also be considered. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- Additional considerations are described in the following sections. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-5.2. Defining New Commands -- ../data/rfc/rfc7423.txt- Application Id of the application using those messages. This ../data/rfc/rfc7423.txt- includes the session-level messages defined in the Diameter base ../data/rfc/rfc7423.txt- protocol, i.e., Re-Auth-Request (RAR) / Re-Auth-Answer (RAA), ../data/rfc/rfc7423.txt- Session-Termination-Request (STR) / Session-Termination-Answer (STA), ../data/rfc/rfc7423.txt- Abort-Session-Request (ASR) / Abort-Session-Answer (ASA), and ../data/rfc/rfc7423.txt: possibly Accounting-Request (ACR) / Accounting Answer (ACA) in the ../data/rfc/rfc7423.txt: coupled accounting model; see Section 5.10. Some existing ../data/rfc/rfc7423.txt- specifications do not adhere to this rule for historical reasons. ../data/rfc/rfc7423.txt- However, this guidance SHOULD be followed by new applications to ../data/rfc/rfc7423.txt- avoid routing problems. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- When a new application has been allocated with a new Application Id -- ../data/rfc/rfc7423.txt- or proxy agents in the request routing path will be able to release ../data/rfc/rfc7423.txt- the transaction state upon receipt of the corresponding answer, ../data/rfc/rfc7423.txt- avoiding unnecessary failover. Moreover, especially in roaming ../data/rfc/rfc7423.txt- cases, proxy agents in the path must be able to apply local policies ../data/rfc/rfc7423.txt- when receiving the answer from the server during authentication/ ../data/rfc/rfc7423.txt: authorization and/or accounting procedures and maintain up-to-date ../data/rfc/rfc7423.txt- session state information by keeping track of all authorized active ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-Morand, et al. Best Current Practice [Page 17] -- ../data/rfc/rfc7423.txt- with arbitrary functionality. When the added features drastically ../data/rfc/rfc7423.txt- change the Diameter application or when Diameter agents must be ../data/rfc/rfc7423.txt- upgraded to support the new features, a new application SHOULD be ../data/rfc/rfc7423.txt- defined, as recommended in [RFC6733]. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt:5.10. Diameter Accounting Support ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: Accounting can be treated as an auxiliary application that is used in ../data/rfc/rfc7423.txt: support of other applications. In most cases, accounting support is ../data/rfc/rfc7423.txt- required when defining new applications. This document provides two ../data/rfc/rfc7423.txt: possible models for using accounting: ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: Split Accounting Model: ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: In this model, the accounting messages will use the Diameter base ../data/rfc/rfc7423.txt: accounting Application Id (value of 3). The design implication ../data/rfc/rfc7423.txt: for this is that the accounting is treated as an independent ../data/rfc/rfc7423.txt- application, especially for Diameter routing. This means that ../data/rfc/rfc7423.txt: accounting commands emanating from an application may be routed ../data/rfc/rfc7423.txt- separately from the rest of the other application messages. This ../data/rfc/rfc7423.txt: may also imply that the messages end up in a central accounting ../data/rfc/rfc7423.txt: server. A split accounting model is a good design choice when: ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: * The application itself does not define its own accounting ../data/rfc/rfc7423.txt- commands. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- * The overall system architecture permits the use of centralized ../data/rfc/rfc7423.txt: accounting for one or more Diameter applications. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: Centralizing accounting may have advantages, but there are also ../data/rfc/rfc7423.txt: drawbacks. The model assumes that the accounting server can ../data/rfc/rfc7423.txt: differentiate received accounting messages. Since the received ../data/rfc/rfc7423.txt: accounting messages can be for any application and/or service, the ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-Morand, et al. Best Current Practice [Page 19] ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-RFC 7423 Diameter Applications Design Guidelines November 2014 ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: accounting server MUST have a method to match accounting messages ../data/rfc/rfc7423.txt- with applications and/or services being accounted for. This may ../data/rfc/rfc7423.txt- mean defining new AVPs; checking the presence, absence, or ../data/rfc/rfc7423.txt- contents of existing AVPs; or checking the contents of the ../data/rfc/rfc7423.txt: accounting record itself. One of these means could be to insert ../data/rfc/rfc7423.txt: into the request sent to the accounting server an ../data/rfc/rfc7423.txt- Auth-Application-Id AVP containing the identifier of the ../data/rfc/rfc7423.txt: application for which the accounting request is sent. But in ../data/rfc/rfc7423.txt- general, there is no clean and generic scheme for sorting these ../data/rfc/rfc7423.txt- messages. Therefore, this model SHOULD NOT be used when all ../data/rfc/rfc7423.txt: received accounting messages cannot be clearly identified and ../data/rfc/rfc7423.txt: sorted. For most cases, the use of the Coupled Accounting Model ../data/rfc/rfc7423.txt- is RECOMMENDED. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: Coupled Accounting Model: ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: In this model, the accounting messages will use the Application Id ../data/rfc/rfc7423.txt: of the application using the accounting service. The design ../data/rfc/rfc7423.txt: implication for this is that the accounting messages are tightly ../data/rfc/rfc7423.txt: coupled with the application itself, meaning that accounting ../data/rfc/rfc7423.txt- messages will be routed like the other application messages. It ../data/rfc/rfc7423.txt- would then be the responsibility of the application server ../data/rfc/rfc7423.txt- (application entity receiving the ACR message) to send the ../data/rfc/rfc7423.txt: accounting records carried by the accounting messages to the ../data/rfc/rfc7423.txt: proper accounting server. The application server is also ../data/rfc/rfc7423.txt- responsible for formulating a proper response (ACA). A coupled ../data/rfc/rfc7423.txt: accounting model is a good design choice when: ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- * The system architecture or deployment does not provide an ../data/rfc/rfc7423.txt: accounting server that supports Diameter. Consequently, the ../data/rfc/rfc7423.txt- application server MUST be provisioned to use a different ../data/rfc/rfc7423.txt: protocol to access the accounting server, e.g., via the ../data/rfc/rfc7423.txt- Lightweight Directory Access Protocol (LDAP), SOAP, etc. This ../data/rfc/rfc7423.txt: case includes the support of older accounting systems that are ../data/rfc/rfc7423.txt- not Diameter aware. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- * The system architecture or deployment requires that the ../data/rfc/rfc7423.txt: accounting service for the specific application should be ../data/rfc/rfc7423.txt- handled by the application itself. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- In all cases above, there will generally be no direct Diameter ../data/rfc/rfc7423.txt: access to the accounting server. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt: These models provide a basis for using accounting messages. ../data/rfc/rfc7423.txt- Application designers may obviously deviate from these models ../data/rfc/rfc7423.txt- provided that the factors being addressed here have also been taken ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- -- ../data/rfc/rfc7423.txt-RFC 7423 Diameter Applications Design Guidelines November 2014 ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- into account. As a general recommendation, application designers ../data/rfc/rfc7423.txt- SHOULD NOT define a new set of commands to carry application-specific ../data/rfc/rfc7423.txt: accounting records. ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt-5.11. Diameter Security Mechanisms ../data/rfc/rfc7423.txt- ../data/rfc/rfc7423.txt- As specified in [RFC6733], the Diameter message exchange SHOULD be ../data/rfc/rfc7423.txt- secured between neighboring Diameter peers using Transport Layer -- ../data/rfc/rfc5121.txt- serves multiple IPv6 hosts may be the end point of the connection. ../data/rfc/rfc5121.txt- Hence, one or more /64 prefixes SHOULD be assigned to a link. The ../data/rfc/rfc5121.txt- prefixes are advertised with the on-link (L-bit) flag set as ../data/rfc/rfc5121.txt- specified in [RFC4861]. The size and number of the prefixes are a ../data/rfc/rfc5121.txt- configuration issue. Also, Dynamic Host Configuration Protocol ../data/rfc/rfc5121.txt: (DHCP) or Authentication, Authorization, and Accounting (AAA)-based ../data/rfc/rfc5121.txt- prefix delegation MAY be used to provide one or more prefixes to MS ../data/rfc/rfc5121.txt- for an AR connected over 802.16. The other properties of the ../data/rfc/rfc5121.txt- prefixes are also dealt with via configuration. ../data/rfc/rfc5121.txt- ../data/rfc/rfc5121.txt-8. Router Discovery -- ../data/rfc/rfc5998.txt- requirements of many deployment scenarios. By using EAP, IKEv2 can ../data/rfc/rfc5998.txt- leverage existing authentication infrastructure and credential ../data/rfc/rfc5998.txt- databases, since EAP allows users to choose a method suitable for ../data/rfc/rfc5998.txt- existing credentials, and also makes separation of the IKEv2 ../data/rfc/rfc5998.txt- responder (VPN gateway) from the EAP authentication endpoint (backend ../data/rfc/rfc5998.txt: Authentication, Authorization, and Accounting (AAA) server) easier. ../data/rfc/rfc5998.txt- ../data/rfc/rfc5998.txt- Some older EAP methods are designed for unilateral authentication ../data/rfc/rfc5998.txt- only (that is, EAP peer to EAP server). These methods are used in ../data/rfc/rfc5998.txt- conjunction with IKEv2 public-key-based authentication of the ../data/rfc/rfc5998.txt- responder to the initiator. It is expected that this approach is -- ../data/rfc/rfc677.txt-This RFC is a working paper on the problem of maintaining duplicated ../data/rfc/rfc677.txt-databases in an ARPA-like network. It briefly discusses the general ../data/rfc/rfc677.txt-duplicate database problem, and then outlines in some detail a solution ../data/rfc/rfc677.txt-for a particular type of duplicate database. The concepts developed ../data/rfc/rfc677.txt-here were used in the design of the User Identification Database for the ../data/rfc/rfc677.txt:TIP user authentication and accounting system. We believe that these ../data/rfc/rfc677.txt-concepts are generally applicable to distributed database problems. ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- -- ../data/rfc/rfc677.txt-important motivations are: ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- - to increase reliability of data access. ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- The accessibility of critical data can be increased by redundantly ../data/rfc/rfc677.txt: maintaining it. The database used for TIP login and accounting is ../data/rfc/rfc677.txt- redundantly distributed to achieve highly reliable access. ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- - to insure efficiency of data access. ../data/rfc/rfc677.txt- ../data/rfc/rfc677.txt- Data can be more quickly and efficiently accessed when it is "near" -- ../data/rfc/rfc1539.txt- ../data/rfc/rfc1539.txt- For those who could not attend a meeting but would like a copy of the ../data/rfc/rfc1539.txt- Proceedings send a check for $35 (made payable to CNRI) to: ../data/rfc/rfc1539.txt- ../data/rfc/rfc1539.txt- Corporation for National Research Initiatives ../data/rfc/rfc1539.txt: Attn: Accounting Department - IETF Proceedings ../data/rfc/rfc1539.txt- 1895 Preston White Drive, Suite 100 ../data/rfc/rfc1539.txt- Reston, VA 22091 ../data/rfc/rfc1539.txt- ../data/rfc/rfc1539.txt- Please indicate which meeting Proceedings you would like to receive ../data/rfc/rfc1539.txt- by specifying the meeting date (e.g., July 1993) or meeting number -- ../data/rfc/rfc5181.txt- [IEEE802.16e]. ../data/rfc/rfc5181.txt- ../data/rfc/rfc5181.txt-2.5. IPv6 Security ../data/rfc/rfc5181.txt- ../data/rfc/rfc5181.txt- When initiating the connection, an MS is authenticated by the ../data/rfc/rfc5181.txt: Authentication, Authorization, and Accounting (AAA) server located at ../data/rfc/rfc5181.txt- its service provider network. To achieve that, the MS and the BS use ../data/rfc/rfc5181.txt- Privacy Key Management [IEEE802.16],[IEEE802.16e], while the BS ../data/rfc/rfc5181.txt- communicates with the AAA server using a AAA protocol. Once the MS ../data/rfc/rfc5181.txt- is authenticated with the AAA server, it can associate successfully ../data/rfc/rfc5181.txt- with the BS and acquire an IPv6 address through stateless auto- -- ../data/rfc/rfc2904.txt- variety of different authorization needs. ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- We expect that this work may be extended in the future to a more ../data/rfc/rfc2904.txt- comprehensive model and that the scheme described here will be ../data/rfc/rfc2904.txt- incorporated into a framework that includes authentication, ../data/rfc/rfc2904.txt: accounting and auditing. We have referenced a number of ../data/rfc/rfc2904.txt- authorization sources, but also recognize that there may be some that ../data/rfc/rfc2904.txt- we have missed and that should be included. Please notify one of the ../data/rfc/rfc2904.txt- authors of any such oversight so it can be corrected in a future ../data/rfc/rfc2904.txt- revision. ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- In general, it is assumed that the parties who are participating in ../data/rfc/rfc2904.txt- the authorization process have already gone through an authentication ../data/rfc/rfc2904.txt- phase. The authentication method used by those parties is outside ../data/rfc/rfc2904.txt- the scope of this document except to the extent that it influences ../data/rfc/rfc2904.txt- the requirements found in a subsequent authorization process. ../data/rfc/rfc2904.txt: Likewise, accounting requirements are outside the scope of this ../data/rfc/rfc2904.txt: document other than recording accounting data or establishing trust ../data/rfc/rfc2904.txt- relationships during an authorization that will facilitate a ../data/rfc/rfc2904.txt: subsequent accounting phase. ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- The work for this memo was done by a group that originally was the ../data/rfc/rfc2904.txt- Authorization subgroup of the AAA Working Group of the IETF. When ../data/rfc/rfc2904.txt- the charter of the AAA working group was changed to focus on MobileIP ../data/rfc/rfc2904.txt- and NAS requirements, the AAAarch Research Group was chartered within -- ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- This requirement has been clearly documented in [10], which describes ../data/rfc/rfc2904.txt- many current weaknesses of the RADIUS protocol [11] in roaming ../data/rfc/rfc2904.txt- networks since RADIUS does not provide such functionality. One ../data/rfc/rfc2904.txt- well-known attack is the ability for the intermediate nodes to modify ../data/rfc/rfc2904.txt: critical accounting information, such as a session time. ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- Most popular security protocols (e.g. IPSec, SSL, etc.) do not ../data/rfc/rfc2904.txt- provide the ability to secure a portion of the payload. Therefore, it ../data/rfc/rfc2904.txt- may be necessary for the AAA protocol to implement its own security ../data/rfc/rfc2904.txt- extensions to provide end-to-end security. -- ../data/rfc/rfc2904.txt- ../data/rfc/rfc2904.txt- Furthermore, it should be possible for the Brokers to allow end-to- ../data/rfc/rfc2904.txt- end (direct) authentication and authorization. This can be done as ../data/rfc/rfc2904.txt- follows. The User Home Organization generates a ticket which is ../data/rfc/rfc2904.txt- signed using the UHO's private key. The ticket is carried in the ../data/rfc/rfc2904.txt: accounting messages. The accounting messages must flow through the ../data/rfc/rfc2904.txt- Broker since the Broker is acting as the settlement agent and ../data/rfc/rfc2904.txt- requires this information. There are Brokers that will require to be ../data/rfc/rfc2904.txt- in the authentication and authorization path as well since they will ../data/rfc/rfc2904.txt- use this information to detect fraudulent activity, so the above ../data/rfc/rfc2904.txt- should be optional. -- ../data/rfc/rfc4881.txt- distance (in terms of delay) from the nFA. The time required for the ../data/rfc/rfc4881.txt- handoff procedure to complete can be reduced by using a closer local ../data/rfc/rfc4881.txt- HA, called Gateway Foreign Agent (GFA) in [11]. However, ../data/rfc/rfc4881.txt- implementation of [11] is not required by PRE-REGISTRATION. PRE- ../data/rfc/rfc4881.txt- REGISTRATION also supports movement where a new Authentication, ../data/rfc/rfc4881.txt: Authorization, and Accounting (AAA) transaction must occur to ../data/rfc/rfc4881.txt- authenticate the MN with a new domain. ../data/rfc/rfc4881.txt- ../data/rfc/rfc4881.txt- ../data/rfc/rfc4881.txt- ../data/rfc/rfc4881.txt- -- ../data/rfc/rfc3945.txt- configured on the advertising LSR, others may be obtained from other ../data/rfc/rfc3945.txt- LSRs by means of some protocol, and yet others may be deduced from ../data/rfc/rfc3945.txt- the component(s) of the TE link. ../data/rfc/rfc3945.txt- ../data/rfc/rfc3945.txt- An important TE property of a TE link is related to the bandwidth ../data/rfc/rfc3945.txt: accounting for that link. GMPLS will define different accounting ../data/rfc/rfc3945.txt- rules for different non-PSC layers. Generic bandwidth attributes are ../data/rfc/rfc3945.txt- however defined by the TE routing extensions and by GMPLS, such as ../data/rfc/rfc3945.txt- the unreserved bandwidth, the maximum reservable bandwidth and the ../data/rfc/rfc3945.txt- maximum LSP bandwidth. ../data/rfc/rfc3945.txt- ../data/rfc/rfc3945.txt- It is expected in a dynamic environment to have frequent changes of ../data/rfc/rfc3945.txt: bandwidth accounting information. A flexible policy for triggering ../data/rfc/rfc3945.txt- link state updates based on bandwidth thresholds and link-dampening ../data/rfc/rfc3945.txt- mechanism can be implemented. ../data/rfc/rfc3945.txt- ../data/rfc/rfc3945.txt- TE properties associated with a link should also capture protection ../data/rfc/rfc3945.txt- and restoration related characteristics. For instance, shared -- ../data/rfc/rfc610.txt- recovery systems, through internal consistency checks), ../data/rfc/rfc610.txt- (5) _regulating_access_, to protect the databases, the system, and ../data/rfc/rfc610.txt- the privacy of users. ../data/rfc/rfc610.txt- ../data/rfc/rfc610.txt-These are the major data-related functions of the datacomputer; while ../data/rfc/rfc610.txt:the system will ultimately provide other services (such as accounting ../data/rfc/rfc610.txt-for use, monitoring performance) these are really auxiliary and common ../data/rfc/rfc610.txt-to all service facilities. ../data/rfc/rfc610.txt- ../data/rfc/rfc610.txt-This section presents global considerations for the design of ../data/rfc/rfc610.txt-datalanguage, based on our observations about the problem and the -- ../data/rfc/rfc943.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc943.txt- 150 Xerox NS IDP [114,LLG] ../data/rfc/rfc943.txt- 151 Unassigned [JBP] ../data/rfc/rfc943.txt- 152 PARC Universal Protocol [12,HGM] ../data/rfc/rfc943.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc943.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc943.txt- 155 Internet Protocol [regular] [35,80,JBP] ../data/rfc/rfc943.txt- 156-158 Internet Protocol [experimental] [35,80,JBP] ../data/rfc/rfc943.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc943.txt- 160-194 Unassigned [JBP] ../data/rfc/rfc943.txt- 195 ISO-IP [116,RXM] -- ../data/rfc/rfc3543.txt- the binding to expire. This also applies to the case in which a ../data/rfc/rfc3543.txt- mobile node roams away from a foreign agent to another foreign ../data/rfc/rfc3543.txt- agent. Notification to the previous foreign agent would allow it ../data/rfc/rfc3543.txt- to reclaim resources. ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt: 2. Accurate accounting. This has a favorable impact on resolving ../data/rfc/rfc3543.txt: accounting issues with respect to the length of mobility bindings ../data/rfc/rfc3543.txt- in both domains, as the actual end of the registration is relayed. ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt- 3. Earlier adoption of domain policy changes with regards to services ../data/rfc/rfc3543.txt- offered/required of a Mobile IP binding. For example, the home ../data/rfc/rfc3543.txt- domain may now require reverse tunnels [C], yet there are existing -- ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt-8.2. Informational References (Alphabetical) ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt- [A] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP ../data/rfc/rfc3543.txt: Authentication, Authorization, and Accounting Requirements", RFC ../data/rfc/rfc3543.txt- 2977, October 2000. ../data/rfc/rfc3543.txt- ../data/rfc/rfc3543.txt- [B] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., ../data/rfc/rfc3543.txt- Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C., Patil, ../data/rfc/rfc3543.txt- B., Mitton, D., Manning, S., Beadles, M., Chen, X., Sivalingham, -- ../data/rfc/rfc4313.txt- server and to request verification. The SV server verifies the ../data/rfc/rfc4313.txt- user's identity and returns the result, including the necessary login ../data/rfc/rfc4313.txt- credentials, to the phone via SPEECHSC. The IP Phone may use the ../data/rfc/rfc4313.txt- identity directly to identify the user in outgoing calls, to fetch ../data/rfc/rfc4313.txt- the user's preferences from a configuration server, or to request ../data/rfc/rfc4313.txt: authorization from an Authentication, Authorization, and Accounting ../data/rfc/rfc4313.txt- (AAA) server, in any combination. Since this example uses SPEECHSC ../data/rfc/rfc4313.txt- to perform a security-related function, be sure to note the ../data/rfc/rfc4313.txt- associated material in Section 9. ../data/rfc/rfc4313.txt- ../data/rfc/rfc4313.txt-3. General Requirements -- ../data/rfc/rfc2400.txt-MAPOS-SONET Multiple Access Protocol over SONET/SDH Version 1 2171 ../data/rfc/rfc2400.txt-RWHOIS Referral Whois Protocol 2167 ../data/rfc/rfc2400.txt-PPP-EXT PPP Vendor Extensions 2153 ../data/rfc/rfc2400.txt-UTF-7 UTF-7 2152 ../data/rfc/rfc2400.txt-CAST-128 CAST-128 Encryption Algorithm 2144 ../data/rfc/rfc2400.txt:RADIUS-ACC RADIUS Accounting 2139 ../data/rfc/rfc2400.txt-DLSCAP Data Link Switching Client Access Protocol 2114 ../data/rfc/rfc2400.txt-PNG Portable Network Graphics Version 1.0 2083 ../data/rfc/rfc2400.txt-RC5 RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms 2040 ../data/rfc/rfc2400.txt-SNTP Simple Network Time Protocol v4 for IPv4, IPv6 and OSI 2030 ../data/rfc/rfc2400.txt-PGP-MEF PGP Message Exchange Formats 1991 -- ../data/rfc/rfc5539.txt- The security considerations described throughout [RFC5246] and ../data/rfc/rfc5539.txt- [RFC4741] apply here as well. ../data/rfc/rfc5539.txt- ../data/rfc/rfc5539.txt- This document in its current version does not support third-party ../data/rfc/rfc5539.txt- authentication (e.g., backend Authentication, Authorization, and ../data/rfc/rfc5539.txt: Accounting (AAA) servers) due to the fact that TLS does not specify ../data/rfc/rfc5539.txt- this way of authentication and that NETCONF depends on the transport ../data/rfc/rfc5539.txt- protocol for the authentication service. If third-party ../data/rfc/rfc5539.txt- authentication is needed, BEEP or SSH transport can be used. ../data/rfc/rfc5539.txt- ../data/rfc/rfc5539.txt- -- ../data/rfc/rfc1125.txt- a single network protocol can vary greatly as to their efficiency ../data/rfc/rfc1125.txt- [8]. We can not assume control over implementation across AD ../data/rfc/rfc1125.txt- boundaries. Feedback mechanisms such as metering (and charging in ../data/rfc/rfc1125.txt- some cases) would introduce a concrete incentive for ADs to employ ../data/rfc/rfc1125.txt- efficient and correct implementations. PR should allow an AD to ../data/rfc/rfc1125.txt: advertise and apply such accounting measures to inter-AD traffic. ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- In summary, the lack of global authority, the need to support network ../data/rfc/rfc1125.txt- resource sharing as well as network interconnection, the complex and ../data/rfc/rfc1125.txt- dynamic mapping of users to ADs and rights, and the need for ../data/rfc/rfc1125.txt- accountability across ADs, are characteristics of inter-AD -- ../data/rfc/rfc1125.txt- sample policy statements should not} be interpreted as agency policy, ../data/rfc/rfc1125.txt- they are provided here only as examples. ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- Internet policies fall into two classes, access and charging. Access ../data/rfc/rfc1125.txt- policies specify who can use resources and under what conditions. ../data/rfc/rfc1125.txt: Charging policies specify the metering, accounting, and billing ../data/rfc/rfc1125.txt- implemented by a particular AD. ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt-6.1 TAXONOMY OF ACCESS POLICIES ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- We have identified the following types of access policies that ADs -- ../data/rfc/rfc1125.txt-6.2 TAXONOMY OF CHARGING POLICIES ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- Stub and transit charging policies may specify the following ../data/rfc/rfc1125.txt- parameters: ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt: * UNIT OF ACCOUNTING (e.g., dollars or credits). ../data/rfc/rfc1125.txt- * BASIS FOR CHARGING (e.g., per Kbyte or per Kpkt). ../data/rfc/rfc1125.txt- * ACTUAL CHARGES (e.g., actual numbers such as $.50/Mbyte). ../data/rfc/rfc1125.txt- * WHO IS CHARGED OR PAID (e.g., originator of packet, ../data/rfc/rfc1125.txt- immediate neighbor from whom packet was received, destination ../data/rfc/rfc1125.txt- of packet, a third party collection agent). -- ../data/rfc/rfc1125.txt- available BW by non-nasa Federal agencies is below n%. NOTE THAT this ../data/rfc/rfc1125.txt- non-interference policy type needs some more work in terms of ../data/rfc/rfc1125.txt- integrating it into the routing algorithms. See Section 7. ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- [NASA2: (*,{F},*)(*,{F},*){research,support} ../data/rfc/rfc1125.txt: {per-packet accounting, limited to n% of available BW}{}] ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt- 3. NASA will carry commercial traffic to federal and regional and ../data/rfc/rfc1125.txt- university ADs for nasa research or support. But it will not allow ../data/rfc/rfc1125.txt- transit. The particular entry AD is not important. ../data/rfc/rfc1125.txt- -- ../data/rfc/rfc1125.txt- commercial carriers to provide increasingly higher level and enhanced ../data/rfc/rfc1125.txt- services such as high speed packet switched backbone services. ../data/rfc/rfc1125.txt- Because such services are not yet part of the Research Internet ../data/rfc/rfc1125.txt- infrastructure there exist no policy statements. ../data/rfc/rfc1125.txt- ../data/rfc/rfc1125.txt: Charging and accounting are certain to be an important policy type in ../data/rfc/rfc1125.txt- this context. Moreover, we anticipate the long haul services market ../data/rfc/rfc1125.txt- to be highly competitive. This implies that competing service ../data/rfc/rfc1125.txt- providers will engage in significant gaming in terms of packaging and ../data/rfc/rfc1125.txt- pricing of services. Consequently, the ability to express varied and ../data/rfc/rfc1125.txt- dynamic charging policies will be critical for these ADs. -- ../data/rfc/rfc471.txt- (an ARPANET Executive protocol?) ../data/rfc/rfc471.txt- ../data/rfc/rfc471.txt-3. To what extent can the conversational user interface be standardized ../data/rfc/rfc471.txt- in the user processes? (an ARPANET Executive language?) ../data/rfc/rfc471.txt- ../data/rfc/rfc471.txt:4. How can access authentication and accounting procedures be modified ../data/rfc/rfc471.txt- to permit a user to "login" only once, yet use resources at many ../data/rfc/rfc471.txt- Host sites? ../data/rfc/rfc471.txt- ../data/rfc/rfc471.txt-If you are interested in discussing these and related issues forward ../data/rfc/rfc471.txt-your name to Bob Thomas (BTHOMAS @BBN-TENEX), Bolt Beranek and Newman, -- ../data/rfc/rfc6867.txt- outage, device suspension, or a temporary move out of range. This is ../data/rfc/rfc6867.txt- similar to the session resumption mechanism described in [RFC5723]. ../data/rfc/rfc6867.txt- One exception being that instead of a ticket stored by the client, ../data/rfc/rfc6867.txt- the re-authentication Master Session Key (rMSK) (see Section 4.6 of ../data/rfc/rfc6867.txt- [RFC6696]) is used as the session key stored on both the client and ../data/rfc/rfc6867.txt: the Authentication, Authorization, and Accounting (AAA) server. ../data/rfc/rfc6867.txt- ../data/rfc/rfc6867.txt- ../data/rfc/rfc6867.txt- ../data/rfc/rfc6867.txt- ../data/rfc/rfc6867.txt- -- ../data/rfc/rfc3435.txt- minimum, unique within the collection of Call Agents that control the ../data/rfc/rfc3435.txt- same gateways. From the gateway's perspective, the Call identifier ../data/rfc/rfc3435.txt- is thus unique. When a Call Agent builds several connections that ../data/rfc/rfc3435.txt- pertain to the same call, either on the same gateway or in different ../data/rfc/rfc3435.txt- gateways, these connections that belong to the same call should share ../data/rfc/rfc3435.txt: the same call-id. This identifier can then be used by accounting or ../data/rfc/rfc3435.txt- management procedures, which are outside the scope of MGCP. ../data/rfc/rfc3435.txt- ../data/rfc/rfc3435.txt-2.1.3.2 Names of Connections ../data/rfc/rfc3435.txt- ../data/rfc/rfc3435.txt- Connection identifiers are created by the gateway when it is -- ../data/rfc/rfc3435.txt- this connection belongs. This parameter SHOULD, at a minimum, be ../data/rfc/rfc3435.txt- unique within the collection of Call Agents that control the same ../data/rfc/rfc3435.txt- gateways. Connections that belong to the same call SHOULD share the ../data/rfc/rfc3435.txt- same call-id. The call-id has little semantic meaning in the ../data/rfc/rfc3435.txt- protocol; however it can be used to identify calls for reporting and ../data/rfc/rfc3435.txt: accounting purposes. It does not affect the handling of connections ../data/rfc/rfc3435.txt- by the gateway. ../data/rfc/rfc3435.txt- ../data/rfc/rfc3435.txt- EndpointId is the identifier for the connection endpoint in the ../data/rfc/rfc3435.txt- gateway where CreateConnection executes. The EndpointId can be ../data/rfc/rfc3435.txt- fully-specified by assigning a value to the parameter EndpointId in -- ../data/rfc/rfc6653.txt- router offloading delegation of prefixes and release tasks to a ../data/rfc/rfc6653.txt- DHCPv6 server. The access router first requests a prefix for an ../data/rfc/rfc6653.txt- incoming mobile node from the DHCPv6 server. The access router may ../data/rfc/rfc6653.txt- next do stateless or stateful address allocation to the mobile node, ../data/rfc/rfc6653.txt- e.g., with a Router Advertisement or using DHCP. We also describe ../data/rfc/rfc6653.txt: prefix management using Authentication, Authorization, and Accounting ../data/rfc/rfc6653.txt- (AAA) servers. ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt-Status of This Memo ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- This document is not an Internet Standards Track specification; it is -- ../data/rfc/rfc6653.txt- MNs and is in charge of address/prefix management. ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- The AR is connected to an IP network that is owned by the operator; ../data/rfc/rfc6653.txt- this network is connected to the public Internet via a border router. ../data/rfc/rfc6653.txt- The network contains servers for subscriber management, including ../data/rfc/rfc6653.txt: Quality of Service, billing, and accounting, as well as a Dynamic ../data/rfc/rfc6653.txt- Host Configuration Protocol (DHCP) server [RFC6342]. ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- With IPv6 addressing, because mobile network links are point-to-point ../data/rfc/rfc6653.txt- (P2P), the per-MN interface prefix model is used [RFC3314] [RFC3316]. ../data/rfc/rfc6653.txt- In the per-MN interface prefix model, prefix management is an issue. -- ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt-2. Terminology and Acronyms ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- 3GPP - 3rd Generation Partnership Project ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt: AAA - Authentication, Authorization, and Accounting ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- AR - Access Router ../data/rfc/rfc6653.txt- ../data/rfc/rfc6653.txt- BS - Base Station ../data/rfc/rfc6653.txt- -- ../data/rfc/rfc4962.txt-BCP: 132 B. Aboba ../data/rfc/rfc4962.txt-Category: Best Current Practice Microsoft ../data/rfc/rfc4962.txt- July 2007 ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt: Guidance for Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4962.txt- Key Management ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt-Status of This Memo ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- This document specifies an Internet Best Current Practices for the -- ../data/rfc/rfc4962.txt- Copyright (C) The IETF Trust (2007). ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt-Abstract ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- This document provides guidance to designers of Authentication, ../data/rfc/rfc4962.txt: Authorization, and Accounting (AAA) key management protocols. The ../data/rfc/rfc4962.txt- guidance is also useful to designers of systems and solutions that ../data/rfc/rfc4962.txt- include AAA key management protocols. Given the complexity and ../data/rfc/rfc4962.txt- difficulty in designing secure, long-lasting key management ../data/rfc/rfc4962.txt- algorithms and protocols by experts in the field, it is almost ../data/rfc/rfc4962.txt- certainly inappropriate for IETF working groups without deep ../data/rfc/rfc4962.txt- expertise in the area to be designing their own key management ../data/rfc/rfc4962.txt- algorithms and protocols based on Authentication, Authorization, and ../data/rfc/rfc4962.txt: Accounting (AAA) protocols. The guidelines in this document apply to ../data/rfc/rfc4962.txt- documents requesting publication as IETF RFCs. Further, these ../data/rfc/rfc4962.txt- guidelines will be useful to other standards development ../data/rfc/rfc4962.txt- organizations (SDOs) that specify AAA key management. ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- -- ../data/rfc/rfc4962.txt- Given the complexity and difficulty in designing secure, long-lasting ../data/rfc/rfc4962.txt- key management algorithms and protocols by experts in the field, it ../data/rfc/rfc4962.txt- is almost certainly inappropriate for IETF working groups without ../data/rfc/rfc4962.txt- deep expertise in the area to be designing their own key management ../data/rfc/rfc4962.txt- algorithms and protocols based on Authentication, Authorization and ../data/rfc/rfc4962.txt: Accounting (AAA) protocols. These guidelines apply to documents ../data/rfc/rfc4962.txt- requesting publication as IETF RFCs. Further, these guidelines will ../data/rfc/rfc4962.txt- be useful to other standards development organizations (SDOs) that ../data/rfc/rfc4962.txt- specify AAA key management that depends on IETF specifications for ../data/rfc/rfc4962.txt- protocols such as Extensible Authentication Protocol (EAP) [RFC3748], ../data/rfc/rfc4962.txt- Remote Authentication Dial-In User Service (RADIUS) [RFC2865], and -- ../data/rfc/rfc4962.txt-1.3. Terminology ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- This section defines terms that are used in this document. ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- AAA ../data/rfc/rfc4962.txt: Authentication, Authorization, and Accounting (AAA). AAA ../data/rfc/rfc4962.txt- protocols include RADIUS [RFC2865] and Diameter [RFC3588]. ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- Authenticator ../data/rfc/rfc4962.txt- The party initiating EAP authentication. The term ../data/rfc/rfc4962.txt- authenticator is used in [802.1X], and authenticator has the -- ../data/rfc/rfc4962.txt-RFC 4962 Guidance for AAA Key Management July 2007 ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt-Appendix: AAA Key Management History ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt: Protocols for Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4962.txt- were originally developed to support deployments of Network Access ../data/rfc/rfc4962.txt- Servers (NASes). In the ARPAnet, the Terminal Access Controller ../data/rfc/rfc4962.txt- (TAC) provided a means for "dumb terminals" to access the network, ../data/rfc/rfc4962.txt- and the TACACS [RFC0927][RFC1492] AAA protocol was designed by BBN ../data/rfc/rfc4962.txt- under contract to the Defense Data Network Program Management Office -- ../data/rfc/rfc4962.txt- impractical for each NAS to contain its own list of users and ../data/rfc/rfc4962.txt- associated credentials. As a result, additional AAA protocols were ../data/rfc/rfc4962.txt- developed, including RADIUS [RFC2865] and Diameter [RFC3588]. These ../data/rfc/rfc4962.txt- protocols enabled a central AAA server to authenticate users ../data/rfc/rfc4962.txt- requesting network access, as well as providing authorization and ../data/rfc/rfc4962.txt: accounting. ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- While PPP [RFC1661] originally supported only PAP [RFC1334] and CHAP ../data/rfc/rfc4962.txt- [RFC1661] authentication, the limitations of these authentication ../data/rfc/rfc4962.txt- mechanisms became apparent. For example, both PAP and CHAP are ../data/rfc/rfc4962.txt- unilateral authentication schemes supporting only authentication of -- ../data/rfc/rfc4962.txt- However, in practice, such pure two-party schemes are rarely ../data/rfc/rfc4962.txt- deployed. Operation of a centralized AAA server significantly ../data/rfc/rfc4962.txt- reduces the effort required to deploy certificates to NASes, and even ../data/rfc/rfc4962.txt- though an AAA server may not be required for key derivation and ../data/rfc/rfc4962.txt- possibly authentication, its participation is required for service ../data/rfc/rfc4962.txt: authorization and accounting. ../data/rfc/rfc4962.txt- ../data/rfc/rfc4962.txt- "Pass-through" authentication and AAA key distribution has retained ../data/rfc/rfc4962.txt- popularity even in the face of rapid improvements in processor and ../data/rfc/rfc4962.txt- memory capabilities. In addition to producing NAS devices of ../data/rfc/rfc4962.txt- increased capability for enterprise and carrier customers, -- ../data/rfc/rfc4888.txt- However, there are deployment scenarios where allowing unauthorized ../data/rfc/rfc4888.txt- Visiting Mobile Nodes is actually desirable. For instance, when ../data/rfc/rfc4888.txt- Mobile Routers attach to other Mobile Routers and form a nested NEMO, ../data/rfc/rfc4888.txt- they depend on each other to reach the Internet. When Mobile Routers ../data/rfc/rfc4888.txt- have no prior knowledge of one another (no security association, ../data/rfc/rfc4888.txt: Authentication, Authorization, and Accounting (AAA), Public-Key ../data/rfc/rfc4888.txt- Infrastructure (PKI), etc.), it could still be acceptable to forward ../data/rfc/rfc4888.txt- packets, provided that the packets are not tunneled back to the Home ../data/rfc/rfc4888.txt- Networks. ../data/rfc/rfc4888.txt- ../data/rfc/rfc4888.txt- A Route Optimization mechanism that allows traffic from Mobile -- ../data/rfc/rfc7855.txt- ../data/rfc/rfc7855.txt- Capacity planning anticipates the routing of the traffic matrix onto ../data/rfc/rfc7855.txt- the network topology for a set of expected traffic and topology ../data/rfc/rfc7855.txt- variations. The heart of the process consists in simulating the ../data/rfc/rfc7855.txt- placement of the traffic along ECMP-aware shortest paths and ../data/rfc/rfc7855.txt: accounting for the resulting bandwidth usage. ../data/rfc/rfc7855.txt- ../data/rfc/rfc7855.txt: The bandwidth accounting of a demand along its shortest path is a ../data/rfc/rfc7855.txt- basic capability of any planning tool or PCE server. ../data/rfc/rfc7855.txt- ../data/rfc/rfc7855.txt- For example, in the network topology described below, and assuming a ../data/rfc/rfc7855.txt- default IGP metric of 1 and IGP metric of 2 for link GF, a 1600 Mbps ../data/rfc/rfc7855.txt- A-to-Z flow is accounted as consuming 1600 Mbps on links AB and FZ; -- ../data/rfc/rfc136.txt-Network Working Group R. Kahn ../data/rfc/rfc136.txt-Request for Comments: 136 BBN ../data/rfc/rfc136.txt-NIC: 6713 29 April 1971 ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: Host Accounting and Administrative Procedures ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- A plan must be formulated and agreed upon for the development of a ../data/rfc/rfc136.txt: Host accounting system in the ARPA Network. Such a plan should take ../data/rfc/rfc136.txt: into consideration both current Host accounting practices and new ../data/rfc/rfc136.txt- technical contributions. This document is an early attempt to ../data/rfc/rfc136.txt: identify the issues concerning Host accounting. It is being ../data/rfc/rfc136.txt- distributed as a working document on which further discussions may be ../data/rfc/rfc136.txt- based and, as such, does not represent, nor is intended to represent, ../data/rfc/rfc136.txt- a position on any of these issues. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- The method of network operation and the potential for its growth are ../data/rfc/rfc136.txt- relevant factors to be considered in formulating a plan for Host ../data/rfc/rfc136.txt: accounting. For example, the answers to the following questions ../data/rfc/rfc136.txt- provide a useful background for reference: ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 1. Who or what operates the Network? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 2. What is the criteria upon which new sites should be -- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt-Kahn [Page 1] ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt:RFC 136 Host Accounting and Administrative Procedures 29 April 1971 ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt-Assumptions Regarding the Network ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- I have made several assumptions in this presentation that should ../data/rfc/rfc136.txt- simplify and, hopefully, clarify the framework in which the ../data/rfc/rfc136.txt: accounting issues reside. Any one of these assumptions may be ../data/rfc/rfc136.txt- subject to challenge. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 1. Subnet Considerations ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 1.1 That some entity, government or private, will undertake to -- ../data/rfc/rfc136.txt- etc. It will further indicate, where appropriate, the status ../data/rfc/rfc136.txt- of equipment (such as government-furnished, leased, or ../data/rfc/rfc136.txt- privately owned) and whether the rates are in accord with ../data/rfc/rfc136.txt- government standards. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 2.3 That the implementation of standard automated accounting ../data/rfc/rfc136.txt- procedures involving the use of the Network will be deferred ../data/rfc/rfc136.txt- until non-automated procedures have been understood and ../data/rfc/rfc136.txt- stabilized. Early experimentation in this area is ../data/rfc/rfc136.txt- appropriate, however. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt-Kahn [Page 2] ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt:RFC 136 Host Accounting and Administrative Procedures 29 April 1971 ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 2.4 That no major change in current Host accounting procedures ../data/rfc/rfc136.txt- should be required initially. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3. Both Host and Subnet Considerations ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.1 That two kinds of traffic into the Network will be measured by -- ../data/rfc/rfc136.txt- basis or on a link or socket basis. Each Host will be ../data/rfc/rfc136.txt- responsible for distributing the cost of Network usage among ../data/rfc/rfc136.txt- the appropriate users. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.3 That some form of duplication, verification, or backup of ../data/rfc/rfc136.txt: accounting information may become desirable. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.4 Understanding the relationship between service, improvement, ../data/rfc/rfc136.txt- reliability and cost should be the responsibility of the ../data/rfc/rfc136.txt- Network operator, but that feedback from the Host sites in ../data/rfc/rfc136.txt- this area is absolutely essential. -- ../data/rfc/rfc136.txt- The following set of topics are introduced for discussion among the ../data/rfc/rfc136.txt- network community. ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 1. Current Practices ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 1.1 What constitutes current Host accounting procedures? How is it ../data/rfc/rfc136.txt- accomplished and what is accounted for? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 2. Administrative Procedures ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 2.1 What access arrangements for network users are either planned ../data/rfc/rfc136.txt- or envisioned at each site? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 2.2 Are security or authenticity provisions required for network ../data/rfc/rfc136.txt- usage and if so, what is the nature of that requirement? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 2.3 Should Host accounting and network accounting be completely ../data/rfc/rfc136.txt- independent of each other or not? If not, in what way should ../data/rfc/rfc136.txt- they be made independent? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 2.4 What long range billing procedures are desirable? ../data/rfc/rfc136.txt- -- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt-Kahn [Page 3] ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt:RFC 136 Host Accounting and Administrative Procedures 29 April 1971 ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3. Charging Policies ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.1 What procedures are required for a Host to determine the most ../data/rfc/rfc136.txt- cost effective way to run a job on the Network? In this ../data/rfc/rfc136.txt- regard, is it helpful to try to categorize resources for ../data/rfc/rfc136.txt- costing purposes? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.2 Should some classes of Host activity be exempt from ../data/rfc/rfc136.txt: accounting? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 3.3 Is it desirable to achieve standardized rates for specific ../data/rfc/rfc136.txt- classes of activity, and if so how should those rates be ../data/rfc/rfc136.txt- determined? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt- 4. Technical Aspects ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 4.1 Should Host accounting information eventually flow via the ../data/rfc/rfc136.txt- Network? Should it be accessible to a user or a Host in real- ../data/rfc/rfc136.txt- time? If so, what should flow online? ../data/rfc/rfc136.txt- ../data/rfc/rfc136.txt: 4.2 What accounting mechanisms, if any, are needed to deal with ../data/rfc/rfc136.txt- events, from which recovery or continuation is not possible ../data/rfc/rfc136.txt- that result from use of the Network and lack of proximity to ../data/rfc/rfc136.txt- the computer? To what extent are the procedures in current use ../data/rfc/rfc136.txt- for remote users from the dial-up network applicable? ../data/rfc/rfc136.txt- -- ../data/rfc/rfc3993.txt-RFC 3993 Subscriber-ID Suboption March 2005 ../data/rfc/rfc3993.txt- ../data/rfc/rfc3993.txt- ../data/rfc/rfc3993.txt- The Subscriber-ID information allows the service provider to ../data/rfc/rfc3993.txt- assign/activate subscriber-specific actions; e.g., assignment of host ../data/rfc/rfc3993.txt: IP address and subnet mask, DNS configuration, or trigger accounting. ../data/rfc/rfc3993.txt- This suboption is de-coupled from the access network's physical ../data/rfc/rfc3993.txt- structure, so subscriber moves from one access-point to another, for ../data/rfc/rfc3993.txt- example, would not require reconfiguration at the service provider's ../data/rfc/rfc3993.txt- DHCP servers. ../data/rfc/rfc3993.txt- -- ../data/rfc/rfc6908.txt- 2.3. Logging at the AFTR ........................................4 ../data/rfc/rfc6908.txt- 2.4. Blacklisting a Shared IPv4 Address .........................5 ../data/rfc/rfc6908.txt- 2.5. AFTR's Policies ............................................5 ../data/rfc/rfc6908.txt- 2.5.1. Outgoing Policy .....................................5 ../data/rfc/rfc6908.txt- 2.5.2. Incoming Policy .....................................6 ../data/rfc/rfc6908.txt: 2.6. AFTR Impacts on Accounting Process .........................6 ../data/rfc/rfc6908.txt- 2.7. Reliability Considerations of AFTR .........................7 ../data/rfc/rfc6908.txt- 2.8. Strategic Placement of AFTR ................................8 ../data/rfc/rfc6908.txt- 2.9. AFTR Considerations for Geographically Aware Services ......8 ../data/rfc/rfc6908.txt- 2.10. Impacts on QoS Policy .....................................9 ../data/rfc/rfc6908.txt- 2.11. Port Forwarding Considerations ............................9 -- ../data/rfc/rfc6908.txt- the IPv6 access network to apply certain traffic policies. In this ../data/rfc/rfc6908.txt- deployment scenario, the operator can configure the AFTR to mark the ../data/rfc/rfc6908.txt- incoming packets with the predefined DSCP value. This policy will ../data/rfc/rfc6908.txt- apply to all incoming packets from the IPv4 network. ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt:2.6. AFTR Impacts on Accounting Process ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt: This section discusses IPv4 and IPv6 traffic accounting in the ../data/rfc/rfc6908.txt- DS-Lite environment. In a typical broadband access scenario (e.g., ../data/rfc/rfc6908.txt- DSL or Cable), the B4 is embedded in a Residential Gateway. The edge ../data/rfc/rfc6908.txt- router for the B4s in the provider's network is an IPv6 edge router. ../data/rfc/rfc6908.txt: The edge router is usually responsible for IPv6 accounting and the ../data/rfc/rfc6908.txt- user management functions such as authentication, authorization, and ../data/rfc/rfc6908.txt: accounting (AAA). However, given the fact that IPv4 traffic is ../data/rfc/rfc6908.txt- encapsulated in an IPv6 packet at the B4 and only decapsulated at the ../data/rfc/rfc6908.txt- AFTR, the edge router will require additional functionality to ../data/rfc/rfc6908.txt: associate IPv4 accounting information to the B4 IPv6 address. If ../data/rfc/rfc6908.txt- DS-Lite is the only application using the IPv4-in-IPv6 protocol in ../data/rfc/rfc6908.txt- the IPv6 access network, the operator can configure the edge router ../data/rfc/rfc6908.txt- to check the IPv6 Next Header field in the IPv6 header, identify the ../data/rfc/rfc6908.txt: protocol type (i.e., 0x04), and collect IPv4 accounting information. ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt: Alternatively, the AFTR may perform accounting for IPv4 traffic. ../data/rfc/rfc6908.txt- However, operators must be aware that this will introduce some ../data/rfc/rfc6908.txt- challenges, especially in DSL deployment. In DSL deployment, the AAA ../data/rfc/rfc6908.txt- transaction normally happens between the edge router (i.e., Broadband ../data/rfc/rfc6908.txt- Network Gateway) and AAA server. [RFC6333] does not require the AFTR ../data/rfc/rfc6908.txt- to interact with the AAA server or edge router. Thus, the AFTR may ../data/rfc/rfc6908.txt- not have the AAA parameters (e.g., Account Session ID) associated ../data/rfc/rfc6908.txt: with B4s to generate an IPv4 accounting record. IPv4 traffic ../data/rfc/rfc6908.txt: accounting at the AFTR is not recommended when the AAA parameters ../data/rfc/rfc6908.txt: necessary to generate complete IPv4 accounting records are not ../data/rfc/rfc6908.txt: available. The accounting process at the AFTR is only necessary if ../data/rfc/rfc6908.txt: the operator requires separating per-B4 accounting records for IPv4 ../data/rfc/rfc6908.txt: and IPv6 traffic. If the per-B4 IPv6 accounting records, collected ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt-Lee, et al. Informational [Page 6] ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt-RFC 6908 Deployment Considerations for DS-Lite March 2013 ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt- by the edge router, are sufficient, then the additional complexity of ../data/rfc/rfc6908.txt: enabling IPv4 accounting at the AFTR is not required. It is ../data/rfc/rfc6908.txt- important to notice that, since the IPv4 traffic is encapsulated in ../data/rfc/rfc6908.txt- IPv6 packets, the data collected by the edge router for IPv6 traffic ../data/rfc/rfc6908.txt- already contains the total amount of traffic (i.e., IPv4 and IPv6). ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt: Even if detailed accounting records collection for IPv4 traffic may ../data/rfc/rfc6908.txt- not be required, it would be useful for an operator, in some ../data/rfc/rfc6908.txt- scenarios, to have information that the edge router generates for the ../data/rfc/rfc6908.txt- IPv6 traffic. This information can be used to identify the AFTR who ../data/rfc/rfc6908.txt- is handling the IPv4 traffic for that B4. This can be achieved by ../data/rfc/rfc6908.txt: adding additional information to the IPv6 accounting records. For ../data/rfc/rfc6908.txt- example, operators can use RADIUS attribute information specified in ../data/rfc/rfc6908.txt- [RFC6519] or a new attribute to be specified in Internet Protocol ../data/rfc/rfc6908.txt- Detailed Record (IPDR). ../data/rfc/rfc6908.txt- ../data/rfc/rfc6908.txt-2.7. Reliability Considerations of AFTR -- ../data/rfc/rfc3758.txt- The following are some of the advantages for integrating partially ../data/rfc/rfc3758.txt- reliable data service into SCTP, i.e., benefits of PR-SCTP: ../data/rfc/rfc3758.txt- ../data/rfc/rfc3758.txt- 1. Some application layer protocols may benefit from being able to ../data/rfc/rfc3758.txt- use a single SCTP association to carry both reliable content, -- ../data/rfc/rfc3758.txt: such as text pages, billing and accounting information, setup ../data/rfc/rfc3758.txt- signaling -- and unreliable content, e.g., state that is highly ../data/rfc/rfc3758.txt- sensitive to timeliness, where generating a new packet is more ../data/rfc/rfc3758.txt- advantageous than transmitting an old one [3]. ../data/rfc/rfc3758.txt- ../data/rfc/rfc3758.txt- 2. Partially reliable data traffic carried by PR-SCTP will enjoy the -- ../data/rfc/rfc5447.txt- utilizing Mobile IPv6. RFC 3775 requires that some or all of these ../data/rfc/rfc5447.txt- parameters be statically configured. Mobile IPv6 bootstrapping work ../data/rfc/rfc5447.txt- aims to make this information dynamically available to the mobile ../data/rfc/rfc5447.txt- node. An important aspect of the Mobile IPv6 bootstrapping solution ../data/rfc/rfc5447.txt- is to support interworking with existing Authentication, ../data/rfc/rfc5447.txt: Authorization, and Accounting (AAA) infrastructures. This document ../data/rfc/rfc5447.txt- describes MIPv6 bootstrapping using the Diameter Network Access ../data/rfc/rfc5447.txt- Server to home AAA server interface. ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- -- ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- A device that provides an access service for a user to a network. ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- Home AAA (HAAA): ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt: An Authentication, Authorization, and Accounting server located in ../data/rfc/rfc5447.txt- the user's home network, i.e., in the home realm. ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- Local AAA (LAAA): ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt: An Authentication, Authorization, and Accounting proxy located in ../data/rfc/rfc5447.txt- the local (ASP) network. ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- Visited AAA (VAAA): ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt: An Authentication, Authorization, and Accounting proxy located in ../data/rfc/rfc5447.txt- a visited network, i.e., in the visited realm. In a roaming case, ../data/rfc/rfc5447.txt- the local Diameter proxy has the VAAA role (see Figure 1). ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- -- ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt-3. Overview ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- This document addresses the Authentication, Authorization, and ../data/rfc/rfc5447.txt: Accounting (AAA) functionality required for the MIPv6 bootstrapping ../data/rfc/rfc5447.txt- solutions outlined in [RFC4640], and focuses on the Diameter-based ../data/rfc/rfc5447.txt- AAA functionality for the NAS-to-HAAA (home AAA) server ../data/rfc/rfc5447.txt- communication. ../data/rfc/rfc5447.txt- ../data/rfc/rfc5447.txt- In the integrated scenario, MIPv6 bootstrapping is provided as part -- ../data/rfc/rfc3580.txt-Table of Contents ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc3580.txt- 1.1. Terminology. . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc3580.txt- 1.2. Requirements Language. . . . . . . . . . . . . . . . . . 4 ../data/rfc/rfc3580.txt: 2. RADIUS Accounting Attributes . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc3580.txt- 2.1. Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc3580.txt- 2.2. Acct-Multi-Session-Id. . . . . . . . . . . . . . . . . . 6 ../data/rfc/rfc3580.txt- 2.3. Acct-Link-Count. . . . . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc3580.txt- 3. RADIUS Authentication. . . . . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc3580.txt- 3.1. User-Name. . . . . . . . . . . . . . . . . . . . . . . . 8 -- ../data/rfc/rfc3580.txt- IEEE 802.1X does not require use of a backend Authentication Server, ../data/rfc/rfc3580.txt- and thus can be deployed with stand-alone bridges or Access Points, ../data/rfc/rfc3580.txt- as well as in centrally managed scenarios. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- In situations where it is desirable to centrally manage ../data/rfc/rfc3580.txt: authentication, authorization and accounting (AAA) for IEEE 802 ../data/rfc/rfc3580.txt: networks, deployment of a backend authentication and accounting ../data/rfc/rfc3580.txt- server is desirable. In such situations, it is expected that IEEE ../data/rfc/rfc3580.txt- 802.1X Authenticators will function as AAA clients. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- This document provides suggestions on RADIUS usage by IEEE 802.1X ../data/rfc/rfc3580.txt- Authenticators. Support for any AAA protocol is optional for IEEE -- ../data/rfc/rfc3580.txt-Congdon, et al. Informational [Page 4] ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt-RFC 3580 IEEE 802.1X RADIUS September 2003 ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt:2. RADIUS Accounting Attributes ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt: With a few exceptions, the RADIUS accounting attributes defined in ../data/rfc/rfc3580.txt- [RFC2866], [RFC2867], and [RFC2869] have the same meaning within IEEE ../data/rfc/rfc3580.txt- 802.1X sessions as they do in dialup sessions and therefore no ../data/rfc/rfc3580.txt- additional commentary is needed. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Attributes requiring more discussion include: -- ../data/rfc/rfc3580.txt- explicit re-authentication request by management action. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Within [IEEE80211], periodic re-authentication may be useful in ../data/rfc/rfc3580.txt- preventing reuse of an initialization vector with a given key. Since ../data/rfc/rfc3580.txt- successful re-authentication does not result in termination of the ../data/rfc/rfc3580.txt: session, accounting packets are not sent as a result of ../data/rfc/rfc3580.txt- re-authentication unless the status of the session changes. For ../data/rfc/rfc3580.txt- example: ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- a. The session is terminated due to re-authentication failure. In ../data/rfc/rfc3580.txt- this case the Reauthentication Failure (20) termination cause is ../data/rfc/rfc3580.txt- used. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- b. The authorizations are changed as a result of a successful ../data/rfc/rfc3580.txt- re-authentication. In this case, the Service Unavailable (15) ../data/rfc/rfc3580.txt: termination cause is used. For accounting purposes, the portion ../data/rfc/rfc3580.txt- of the session after the authorization change is treated as a ../data/rfc/rfc3580.txt- separate session. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Where IEEE 802.1X authentication occurs prior to association, ../data/rfc/rfc3580.txt: accounting packets are not sent until an association occurs. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- An Admin Reset (6) termination cause indicates that the Port has been ../data/rfc/rfc3580.txt- administratively forced into the unauthorized state. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- A Port Reinitialized (21) termination cause indicates that the Port's -- ../data/rfc/rfc3580.txt-2.2. Acct-Multi-Session-Id ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- The purpose of this attribute is to make it possible to link together ../data/rfc/rfc3580.txt- multiple related sessions. While [IEEE8021X] does not act on ../data/rfc/rfc3580.txt- aggregated ports, it is possible for a Supplicant roaming between ../data/rfc/rfc3580.txt: Access Points to cause multiple RADIUS accounting packets to be sent ../data/rfc/rfc3580.txt- by different Access Points. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Where supported by the Access Points, the Acct-Multi-Session-Id ../data/rfc/rfc3580.txt- attribute can be used to link together the multiple related sessions ../data/rfc/rfc3580.txt- of a roaming Supplicant. In such a situation, if the session context ../data/rfc/rfc3580.txt: is transferred between Access Points, accounting packets MAY be sent ../data/rfc/rfc3580.txt- without a corresponding authentication and authorization exchange, ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- -- ../data/rfc/rfc3580.txt- the Access Points as part of the Inter-Access Point Protocol (IAPP). ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- If the Acct-Multi-Session-Id were not unique between Access Points, ../data/rfc/rfc3580.txt- then it is possible that the chosen Acct-Multi-Session-Id will ../data/rfc/rfc3580.txt- overlap with an existing value allocated on that Access Point, and ../data/rfc/rfc3580.txt: the Accounting Server would therefore be unable to distinguish a ../data/rfc/rfc3580.txt- roaming session from a multi-link session. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- As a result, the Acct-Multi-Session-Id attribute is unique among all ../data/rfc/rfc3580.txt- the bridges or Access Points, Supplicants and sessions. In order to ../data/rfc/rfc3580.txt- provide this uniqueness, it is suggested that the Acct-Multi- -- ../data/rfc/rfc3580.txt- This attribute is sent by a bridge or Access Point to indicate the ../data/rfc/rfc3580.txt- nature of the Supplicant's connection. When sent in the Access- ../data/rfc/rfc3580.txt- Request it is recommended that this attribute contain information on ../data/rfc/rfc3580.txt- the speed of the Supplicant's connection. For 802.11, the following ../data/rfc/rfc3580.txt- format is recommended: "CONNECT 11Mbps 802.11b". If sent in the ../data/rfc/rfc3580.txt: Accounting STOP, this attribute may be used to summarize statistics ../data/rfc/rfc3580.txt- relating to session quality. For example, in IEEE 802.11, the ../data/rfc/rfc3580.txt- Connect-Info attribute may contain information on the number of link ../data/rfc/rfc3580.txt- layer retransmissions. The exact format of this attribute is ../data/rfc/rfc3580.txt- implementation specific. ../data/rfc/rfc3580.txt- -- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt-3.31. Tunnel Attributes ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Reference [RFC2868] defines RADIUS tunnel attributes used for ../data/rfc/rfc3580.txt- authentication and authorization, and [RFC2867] defines tunnel ../data/rfc/rfc3580.txt: attributes used for accounting. Where the IEEE 802.1X Authenticator ../data/rfc/rfc3580.txt- supports tunneling, a compulsory tunnel may be set up for the ../data/rfc/rfc3580.txt- Supplicant as a result of the authentication. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- In particular, it may be desirable to allow a port to be placed into ../data/rfc/rfc3580.txt- a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based on the -- ../data/rfc/rfc3580.txt- 48 octet RC4 key (384 bits). ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt-5. Security Considerations ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Since this document describes the use of RADIUS for purposes of ../data/rfc/rfc3580.txt: authentication, authorization, and accounting in IEEE 802.1X-enabled ../data/rfc/rfc3580.txt- networks, it is vulnerable to all of the threats that are present in ../data/rfc/rfc3580.txt- other RADIUS applications. For a discussion of these threats, see ../data/rfc/rfc3580.txt- [RFC2607], [RFC2865], [RFC3162], [RFC3579], and [RFC3576]. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- Vulnerabilities include: -- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt-5.4. Replay ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- As noted in [RFC3579] Section 4.3.5., the RADIUS protocol provides ../data/rfc/rfc3580.txt- only limited support for replay protection. Replay protection for ../data/rfc/rfc3580.txt: RADIUS authentication and accounting can be provided by enabling ../data/rfc/rfc3580.txt- IPsec replay protection with RADIUS, as described in [RFC3579], ../data/rfc/rfc3580.txt- Section 4.2. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- As with the Request Authenticator, for use with IEEE 802.1X ../data/rfc/rfc3580.txt- Authenticators, the Acct-Session-Id SHOULD be globally and temporally -- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, ../data/rfc/rfc3580.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc3580.txt- RFC 2865, June 2000. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt: [RFC2867] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc3580.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc3580.txt- June 2000. ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- ../data/rfc/rfc3580.txt- -- ../data/rfc/rfc2123.txt- ../data/rfc/rfc2123.txt-1 Introduction ../data/rfc/rfc2123.txt- ../data/rfc/rfc2123.txt- Early in 1992 my University needed to develop a system for recovering ../data/rfc/rfc2123.txt- the costs of its Internet traffic. In March of that year I attended ../data/rfc/rfc2123.txt: the Internet Accounting Working Group's session at the San Diego ../data/rfc/rfc2123.txt- IETF, where I was delighted to find that the Group had produced a ../data/rfc/rfc2123.txt- detailed architecture for measuring network traffic and were waiting ../data/rfc/rfc2123.txt- for someone to try implementing it. ../data/rfc/rfc2123.txt- ../data/rfc/rfc2123.txt- During 1992 I produced a prototype measurement system, using balanced -- ../data/rfc/rfc1844.txt- 2. System installation, configuration and management ../data/rfc/rfc1844.txt- 2.1 How complex/easy is installation and configuration? Are ../data/rfc/rfc1844.txt- there any pitfalls that need attention? Can you configure ../data/rfc/rfc1844.txt- per set of users (i.e systemwide or LAN wide default ../data/rfc/rfc1844.txt- configuration) and/or per user? ../data/rfc/rfc1844.txt: 2.2 Are there facilities for logging and/or accounting? ../data/rfc/rfc1844.txt- 2.3 Does the UA generate correct RFC-822 headers for outgoing ../data/rfc/rfc1844.txt- messages: ../data/rfc/rfc1844.txt- From:, (and if necessary) Sender: ../data/rfc/rfc1844.txt- Date: ../data/rfc/rfc1844.txt- Message-id: -- ../data/rfc/rfc1060.txt- 64-149 Unassigned [JBP] ../data/rfc/rfc1060.txt- 150 Xerox NS IDP [133,XEROX] ../data/rfc/rfc1060.txt- 151 Unassigned [JBP] ../data/rfc/rfc1060.txt- 152 PARC Universal Protocol [8,XEROX] ../data/rfc/rfc1060.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc1060.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc1060.txt- 155 Internet Protocol [regular] [105,JBP] ../data/rfc/rfc1060.txt- 156-158 Internet Protocol [experimental] [105,JBP] ../data/rfc/rfc1060.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc1060.txt- 160 Blacker Local Network Protocol [DM28] ../data/rfc/rfc1060.txt- 161-194 Unassigned [JBP] -- ../data/rfc/rfc7832.txt- Where this service is currently offered, it would usually be achieved ../data/rfc/rfc7832.txt- through the use of "open" printers (i.e., printers that allow ../data/rfc/rfc7832.txt- anonymous print requests), where printer availability is advertised ../data/rfc/rfc7832.txt- through the use of Bonjour or other similar protocols. If the ../data/rfc/rfc7832.txt- organization requires authenticated print requests (usually for ../data/rfc/rfc7832.txt: accounting purposes), the visitor would usually have to be given ../data/rfc/rfc7832.txt- credentials that allow this, often supplemented with pay-as-you-go ../data/rfc/rfc7832.txt- style payment systems. ../data/rfc/rfc7832.txt- ../data/rfc/rfc7832.txt- Adding federated authentication to the Internet Printing Protocol ../data/rfc/rfc7832.txt- (IPP) [RFC2911] (and other relevant protocols) would enable this kind -- ../data/rfc/rfc1862.txt- is or should be any access time enforcement or only after the fact ../data/rfc/rfc1862.txt- enforcement. The information is likely to be in the form of ../data/rfc/rfc1862.txt- attribute-value pairs and must be able to capture copyright knowledge ../data/rfc/rfc1862.txt- effectively. ../data/rfc/rfc1862.txt- ../data/rfc/rfc1862.txt: * ACCOUNTING: An accounting service provides metering of the use of ../data/rfc/rfc1862.txt- resources. The resources wholly contained in the wholesale layer are ../data/rfc/rfc1862.txt- the services discussed here. It will also be important to provide ../data/rfc/rfc1862.txt- metering tools in the wholesale layer to be used by the retail layer ../data/rfc/rfc1862.txt- to meter usage or content access in that layer. Metering may be used ../data/rfc/rfc1862.txt- for a variety of purposes ranging from providing better utilization ../data/rfc/rfc1862.txt- or service from the resources to pricing and billing. Hence ../data/rfc/rfc1862.txt: accounting services will be used by object storage, caching and ../data/rfc/rfc1862.txt- replication, lower layer networking services, as well as pricing and ../data/rfc/rfc1862.txt- billing services. In the form of content metering it will also ../data/rfc/rfc1862.txt- interact with attribute management. ../data/rfc/rfc1862.txt- ../data/rfc/rfc1862.txt- -- ../data/rfc/rfc1862.txt- that caching and replication are important, but the discussion of ../data/rfc/rfc1862.txt- that was left to another group that had taken that as the focus of ../data/rfc/rfc1862.txt- their agenda. Object storage will take an object and put it ../data/rfc/rfc1862.txt- somewhere, while maintaining both the identity and nature of the ../data/rfc/rfc1862.txt- object. It is tightly coupled to caching and replication, as well as ../data/rfc/rfc1862.txt: accounting, often in order to determine patterns of caching and ../data/rfc/rfc1862.txt- replication. It is also tightly coupled to object publication, ../data/rfc/rfc1862.txt- translation, and provides interfaces to both supporting storage ../data/rfc/rfc1862.txt- facilities such as local file systems, as well as direct access from ../data/rfc/rfc1862.txt- applications, needing access to objects. ../data/rfc/rfc1862.txt- -- ../data/rfc/rfc1862.txt- for the ability to create or import objects into this object world by ../data/rfc/rfc1862.txt- the publication paradigm, and allows objects to evolve to support new ../data/rfc/rfc1862.txt- or evolving functionality through the translation paradigm. Access ../data/rfc/rfc1862.txt- to the objects is provided by object storage, enhanced with caching ../data/rfc/rfc1862.txt- and replication services and mediated by the attributes managed by ../data/rfc/rfc1862.txt: attribute management and accounting or content metering. Discovery ../data/rfc/rfc1862.txt- of resources (figuring out which identifier to be chasing) is ../data/rfc/rfc1862.txt- provided by resource discovery services. Types are registered and ../data/rfc/rfc1862.txt- hence available both as definitions and perhaps in the form of ../data/rfc/rfc1862.txt- implementations from a definition service. Lastly, there is a ../data/rfc/rfc1862.txt- vertical model of providing the two-way services of adaptive glue for -- ../data/rfc/rfc7683.txt- ../data/rfc/rfc7683.txt-9.1. AVP Codes ../data/rfc/rfc7683.txt- ../data/rfc/rfc7683.txt- New AVPs defined by this specification are listed in Section 7. All ../data/rfc/rfc7683.txt- AVP codes are allocated from the "AVP Codes" sub-registry under the ../data/rfc/rfc7683.txt: "Authentication, Authorization, and Accounting (AAA) Parameters" ../data/rfc/rfc7683.txt- registry. ../data/rfc/rfc7683.txt- ../data/rfc/rfc7683.txt-9.2. New Registries ../data/rfc/rfc7683.txt- ../data/rfc/rfc7683.txt- Two new registries have been created in the "AVP Specific Values" ../data/rfc/rfc7683.txt: sub-registry under the "Authentication, Authorization, and Accounting ../data/rfc/rfc7683.txt- (AAA) Parameters" registry. ../data/rfc/rfc7683.txt- ../data/rfc/rfc7683.txt- A new "OC-Feature-Vector AVP Values (code 622)" registry has been ../data/rfc/rfc7683.txt- created. This registry contains the following: ../data/rfc/rfc7683.txt- -- ../data/rfc/rfc1726.txt- 6. Things We Chose Not to Require. . . . . . . . . . . . . . 26 ../data/rfc/rfc1726.txt- 6.1 Fragmentation . . . . . . . . . . . . . . . . . . . . . . 26 ../data/rfc/rfc1726.txt- 6.2 IP Header Checksum. . . . . . . . . . . . . . . . . . . . 26 ../data/rfc/rfc1726.txt- 6.3 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . 27 ../data/rfc/rfc1726.txt- 6.4 Network Management. . . . . . . . . . . . . . . . . . . . 27 ../data/rfc/rfc1726.txt: 6.5 Accounting. . . . . . . . . . . . . . . . . . . . . . . . 27 ../data/rfc/rfc1726.txt- 6.6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . 27 ../data/rfc/rfc1726.txt- 6.6.1 Scale . . . . . . . . . . . . . . . . . . . . . . . . . . 28 ../data/rfc/rfc1726.txt- 6.6.2 Policy. . . . . . . . . . . . . . . . . . . . . . . . . . 28 ../data/rfc/rfc1726.txt- 6.6.3 QOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 ../data/rfc/rfc1726.txt- 6.6.4 Feedback. . . . . . . . . . . . . . . . . . . . . . . . . 28 -- ../data/rfc/rfc1726.txt-Partridge and Kastenholz [Page 14] ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt-RFC 1726 IPng Technical Criteria December 1994 ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt: integral accounting and billing capabilities, and IPng must ../data/rfc/rfc1726.txt- provide the correct control information to such subnetworks. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- Time Frame ../data/rfc/rfc1726.txt- Specifications for current media encapsulations (i.e., all ../data/rfc/rfc1726.txt- encapsulations that are currently Proposed standards, or higher, -- ../data/rfc/rfc1726.txt- routing system within the network. This criterion covers those ../data/rfc/rfc1726.txt- aspects of security that are not needed to provide the Robustness ../data/rfc/rfc1726.txt- criterion. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- Another aspect of security is non-repudiation of origin. In order ../data/rfc/rfc1726.txt: to adequately support the expected need for simple accounting, we ../data/rfc/rfc1726.txt- believe that this is a necessary feature. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- In order to safely support requirements of the commercial world, ../data/rfc/rfc1726.txt- IPng-level security must have capabilities to prevent ../data/rfc/rfc1726.txt- eavesdroppers from monitoring traffic and deducing traffic -- ../data/rfc/rfc1726.txt- globally unique, unambiguous, and ubiquitous names for endpoints, ../data/rfc/rfc1726.txt- nodes, interfaces, and the like. Every datagram must carry the ../data/rfc/rfc1726.txt- identifier of both its source and its destination (or some method ../data/rfc/rfc1726.txt- must be available to determine these identifiers, given a ../data/rfc/rfc1726.txt- datagram). We believe that this is required in order to support ../data/rfc/rfc1726.txt: certain accounting functions. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- Other functions and uses of unique names are: ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- * To uniquely identify endpoints (thus if the unique name and ../data/rfc/rfc1726.txt- address are not the same, the TCP pseudo-header should include -- ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt-RFC 1726 IPng Technical Criteria December 1994 ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- DISCUSSION ../data/rfc/rfc1726.txt: For many reasons, such as accounting, security and multimedia, it ../data/rfc/rfc1726.txt- is desirable to treat different packets differently in the ../data/rfc/rfc1726.txt- network. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt- For example, multimedia is now on our desktop and will be an ../data/rfc/rfc1726.txt- essential part of future networking. So we have to find ways to -- ../data/rfc/rfc1726.txt- network management, per se, is not an attribute of the IPng protocol. ../data/rfc/rfc1726.txt- Furthermore, network management is viewed as a support, or service, ../data/rfc/rfc1726.txt- function. Network management should be developed to fit IPng and not ../data/rfc/rfc1726.txt- the other way round. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt:6.5 Accounting ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt: We believe that accounting, like network management, must be designed ../data/rfc/rfc1726.txt- to fit the IPng protocol, and not the other way round. Therefore, ../data/rfc/rfc1726.txt: accounting, in and of itself, is not a requirement of IPng. However, ../data/rfc/rfc1726.txt- there are some facets of the protocol that have been specified to ../data/rfc/rfc1726.txt: make accounting easier, such as non-repudiation of origin under ../data/rfc/rfc1726.txt- security, and the unique naming requirement for sorting datagrams ../data/rfc/rfc1726.txt- into classes. Note that a parameter of network service that IPng ../data/rfc/rfc1726.txt- must support is cost. ../data/rfc/rfc1726.txt- ../data/rfc/rfc1726.txt-6.6 Routing -- ../data/rfc/rfc1510.txt- Project Athena, Cambridge, Mas sachusetts (1987). ../data/rfc/rfc1510.txt- ../data/rfc/rfc1510.txt- [8] CCITT, Recommendation X.509: The Directory Authentication ../data/rfc/rfc1510.txt- Framework, December 1988. ../data/rfc/rfc1510.txt- ../data/rfc/rfc1510.txt: [9] Neuman, C., "Proxy-Based Authorization and Accounting for ../data/rfc/rfc1510.txt- Distributed Systems," in Proceedings of the 13th International ../data/rfc/rfc1510.txt- Conference on Distributed Computing Systems", Pittsburgh, PA, ../data/rfc/rfc1510.txt- May 1993. ../data/rfc/rfc1510.txt- ../data/rfc/rfc1510.txt- [10] Pato, J., "Using Pre-Authentication to Avoid Password Guessing -- ../data/rfc/rfc2208.txt- ../data/rfc/rfc2208.txt- Before any decision to deploy RSVP, it would be wise to ensure that ../data/rfc/rfc2208.txt- the policy control available from a vendor is adequate for the ../data/rfc/rfc2208.txt- intended usage. In addition to the lack of documented policy ../data/rfc/rfc2208.txt- mechanisms in any of the policy areas (such as access control, ../data/rfc/rfc2208.txt: authorization, and accounting), the community has little experience ../data/rfc/rfc2208.txt- with describing, setting and controlling policies that limit Internet ../data/rfc/rfc2208.txt- service. Therefore it is likely that vendor solutions will be ../data/rfc/rfc2208.txt- revised often, particularly before the IETF has developed any policy ../data/rfc/rfc2208.txt- specification. ../data/rfc/rfc2208.txt- -- ../data/rfc/rfc1753.txt- which provide those services. ../data/rfc/rfc1753.txt- ../data/rfc/rfc1753.txt- To the internetworking layer, a flow is a sequence of packets that ../data/rfc/rfc1753.txt- share all the attributes that the internetworking layer cares about. ../data/rfc/rfc1753.txt- This includes, but is not limited to: source/destination, path, ../data/rfc/rfc1753.txt: resource allocation, accounting/authorization, ../data/rfc/rfc1753.txt- authentication/security, etc., etc. ../data/rfc/rfc1753.txt- ../data/rfc/rfc1753.txt- There isn't necessarily a one-one mapping from flows to *anything* ../data/rfc/rfc1753.txt- else, be it a TCP connection, or an application instance, or ../data/rfc/rfc1753.txt- whatever. A single flow might contain several TCP connections (e.g., -- ../data/rfc/rfc1753.txt- more complex than unicast (there is a large pool of state which must ../data/rfc/rfc1753.txt- be made coherent), but the concepts are similar. ../data/rfc/rfc1753.txt- ../data/rfc/rfc1753.txt- There's an interesting architectural issue here. Let's assume we have ../data/rfc/rfc1753.txt- all these different internetwork level subsystems (routing, resource ../data/rfc/rfc1753.txt: allocation, security/access-control, accounting), etc. Now, we have ../data/rfc/rfc1753.txt- two choices. ../data/rfc/rfc1753.txt- ../data/rfc/rfc1753.txt- First, we could allow each individual subsystem which uses the ../data/rfc/rfc1753.txt- concept of flows to define itself what it thinks a "flow" is, and ../data/rfc/rfc1753.txt- define which values in which fields in the packet define a given -- ../data/rfc/rfc2072.txt- executable code for generating ranges of test addresses. Such ../data/rfc/rfc2072.txt- scripts may, at first examination, not appear to contain explicit IP ../data/rfc/rfc2072.txt- addresses. They may, for example, contain a "seed" address used with ../data/rfc/rfc2072.txt- an incrementing loop. ../data/rfc/rfc2072.txt- ../data/rfc/rfc2072.txt:12.5 Accounting Management ../data/rfc/rfc2072.txt- ../data/rfc/rfc2072.txt: Accounting records may be sent periodically to syslogd or as SNMP ../data/rfc/rfc2072.txt- traps. Alternatively, the SNMP manager or other management ../data/rfc/rfc2072.txt: applications may periodically poll accounting information in routers, ../data/rfc/rfc2072.txt- and thus contain hard-coded IP addresses. ../data/rfc/rfc2072.txt- ../data/rfc/rfc2072.txt-12.6 Security Management ../data/rfc/rfc2072.txt- ../data/rfc/rfc2072.txt- Security management includes logging, authentication, filtering, and -- ../data/rfc/rfc5807.txt- PEMK and its associated states MUST be deleted. ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt-4. Security Considerations ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt- The following considerations are specifically made to follow the ../data/rfc/rfc5807.txt: Authentication, Authorization, and Accounting (AAA) key management ../data/rfc/rfc5807.txt- guidance [RFC4962]. Other AAA key management requirements such as ../data/rfc/rfc5807.txt- key lifetime, key scope, key context, and key name are described in ../data/rfc/rfc5807.txt- Section 3. ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt-4.1. Channel Binding -- ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate ../data/rfc/rfc5807.txt- Requirement Levels", BCP 14, RFC 2119, March 1997. ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5807.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc5807.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5807.txt- ../data/rfc/rfc5807.txt- [RFC5193] Jayaraman, P., Lopez, R., Ohba, Y., Parthasarathy, M., ../data/rfc/rfc5807.txt- and A. Yegin, "Protocol for Carrying Authentication for ../data/rfc/rfc5807.txt- Network Access (PANA) Framework", RFC 5193, May 2008. -- ../data/rfc/rfc8030.txt- response with the actual TTL. This TTL value MUST be less than or ../data/rfc/rfc8030.txt- equal to the value provided by the application server. ../data/rfc/rfc8030.txt- ../data/rfc/rfc8030.txt- Once the TTL period elapses, the push service MUST NOT attempt to ../data/rfc/rfc8030.txt- deliver the push message to the user agent. A push service might ../data/rfc/rfc8030.txt: adjust the TTL value to account for time accounting errors in ../data/rfc/rfc8030.txt- processing. For instance, distributing a push message within a ../data/rfc/rfc8030.txt- server cluster might accrue errors due to clock skew or propagation ../data/rfc/rfc8030.txt- delays. ../data/rfc/rfc8030.txt- ../data/rfc/rfc8030.txt- A push service is not obligated to account for time spent by the -- ../data/rfc/rfc8371.txt-1. Introduction ../data/rfc/rfc8371.txt- ../data/rfc/rfc8371.txt- The "Mobile Node Identifier Option for Mobile IPv6 (MIPv6)" [RFC4283] ../data/rfc/rfc8371.txt- has proved to be a popular design tool for providing identifiers for ../data/rfc/rfc8371.txt- mobile nodes during authentication procedures with Authentication, ../data/rfc/rfc8371.txt: Authorization, and Accounting (AAA) protocols such as Diameter ../data/rfc/rfc8371.txt- [RFC6733]. To date, only a single type of identifier has been ../data/rfc/rfc8371.txt- specified, namely the Mobile Node (MN) NAI. Other types of ../data/rfc/rfc8371.txt- identifiers are in common use and are even referenced in RFC 4283. ../data/rfc/rfc8371.txt- In this document, we propose adding some basic identifier types that ../data/rfc/rfc8371.txt- are defined in various telecommunications standards, including types -- ../data/rfc/rfc2849.txt-sn: Jensen ../data/rfc/rfc2849.txt-uid: bjensen ../data/rfc/rfc2849.txt-telephonenumber: +1 408 555 1212 ../data/rfc/rfc2849.txt-description: A big sailing fan. ../data/rfc/rfc2849.txt- ../data/rfc/rfc2849.txt:dn: cn=Bjorn Jensen, ou=Accounting, dc=airius, dc=com ../data/rfc/rfc2849.txt-objectclass: top ../data/rfc/rfc2849.txt-objectclass: person ../data/rfc/rfc2849.txt-objectclass: organizationalPerson ../data/rfc/rfc2849.txt-cn: Bjorn Jensen ../data/rfc/rfc2849.txt-sn: Jensen -- ../data/rfc/rfc2849.txt-# the directory tree (only implemented by LDAPv3 servers). ../data/rfc/rfc2849.txt-dn: ou=PD Accountants, ou=Product Development, dc=airius, dc=com ../data/rfc/rfc2849.txt-changetype: modrdn ../data/rfc/rfc2849.txt-newrdn: ou=Product Development Accountants ../data/rfc/rfc2849.txt-deleteoldrdn: 0 ../data/rfc/rfc2849.txt:newsuperior: ou=Accounting, dc=airius, dc=com ../data/rfc/rfc2849.txt- ../data/rfc/rfc2849.txt- ../data/rfc/rfc2849.txt- ../data/rfc/rfc2849.txt- ../data/rfc/rfc2849.txt-Good Standards Track [Page 10] -- ../data/rfc/rfc8329.txt- components themselves. For example, the user can access a serial ../data/rfc/rfc8329.txt- console (most devices offer this interface for maintenance ../data/rfc/rfc8329.txt- reasons) to access the NSF software with the same level of ../data/rfc/rfc8329.txt- privilege of the provider. ../data/rfc/rfc8329.txt- ../data/rfc/rfc8329.txt: The use of authentication, authorization, accounting, and audit ../data/rfc/rfc8329.txt- mechanisms is recommended for all users and applications to access ../data/rfc/rfc8329.txt- the I2NSF environment. This can be further enhanced by requiring ../data/rfc/rfc8329.txt- attestation to be used to detect changes to the I2NSF environment by ../data/rfc/rfc8329.txt- authorized parties. The characteristics of these procedures will ../data/rfc/rfc8329.txt- define the level of assurance of the I2NSF environment. -- ../data/rfc/rfc8329.txt- ../data/rfc/rfc8329.txt- The network connection between the I2NSF Controller and NSFs will use ../data/rfc/rfc8329.txt- the trusted connection mechanisms described in Section 6.1. ../data/rfc/rfc8329.txt- Following these mechanisms, the connections need to rely on the use ../data/rfc/rfc8329.txt- of properly verified peer identities (e.g., through an ../data/rfc/rfc8329.txt: Authentication, Authorization, and Accounting (AAA) framework). The ../data/rfc/rfc8329.txt- implementations of identity management functions, as well as the AAA ../data/rfc/rfc8329.txt- framework, are out of scope for I2NSF. ../data/rfc/rfc8329.txt- ../data/rfc/rfc8329.txt-6.3. Interface to vNSFs ../data/rfc/rfc8329.txt- -- ../data/rfc/rfc8329.txt- +---------------+-------------------------------------------+ ../data/rfc/rfc8329.txt- | Direction | Inbound, Outbound | ../data/rfc/rfc8329.txt- +---------------+-------------------------------------------+ ../data/rfc/rfc8329.txt- | State | Authentication State | ../data/rfc/rfc8329.txt- | | Authorization State | ../data/rfc/rfc8329.txt: | | Accounting State | ../data/rfc/rfc8329.txt- | | Session State | ../data/rfc/rfc8329.txt- +---------------+-------------------------------------------+ ../data/rfc/rfc8329.txt- ../data/rfc/rfc8329.txt- Note: ../data/rfc/rfc8329.txt- These fields are used to provide context information for -- ../data/rfc/rfc1758.txt- SD-9 Charter, Procedures and Operations of the ../data/rfc/rfc1758.txt- Central Administration for NADF ../data/rfc/rfc1758.txt- SD-10 Security & Privacy: Policy & Services ../data/rfc/rfc1758.txt- SD-11 Directory Security: Mechanisms and Practicality ../data/rfc/rfc1758.txt- SD-12 Registry of ADDMD Names ../data/rfc/rfc1758.txt: SD-13 NADF Accounting and Settlements ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt- SD-1 defines the scope of the NADF, whilst SD-2 describes issue of ../data/rfc/rfc1758.txt- interest to the NADF. ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt- The remaining documents describe the agreements necessary to achieve -- ../data/rfc/rfc1758.txt- specifies which mechanisms which will be used in the Public Directory ../data/rfc/rfc1758.txt- service. ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt- SD-12 provides a registry of ADDMD names in the NADF project. ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt: SD-13 provides a model and general principles for accounting and ../data/rfc/rfc1758.txt- settlement in the directory. ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt-1.1. Document Availability ../data/rfc/rfc1758.txt- ../data/rfc/rfc1758.txt- At the present time, the NADF standing documents are available only -- ../data/rfc/rfc4828.txt- 1. Introduction ....................................................3 ../data/rfc/rfc4828.txt- 2. Conventions .....................................................5 ../data/rfc/rfc4828.txt- 3. TFRC-SP Congestion Control ......................................5 ../data/rfc/rfc4828.txt- 4. TFRC-SP Discussion ..............................................9 ../data/rfc/rfc4828.txt- 4.1. Response Functions and Throughput Equations ................9 ../data/rfc/rfc4828.txt: 4.2. Accounting for Header Size ................................12 ../data/rfc/rfc4828.txt- 4.3. The TFRC-SP Min Interval ..................................13 ../data/rfc/rfc4828.txt- 4.4. Counting Packet Losses ....................................14 ../data/rfc/rfc4828.txt- 4.5. The Nominal Packet Size ...................................15 ../data/rfc/rfc4828.txt- 4.5.1. Packet Size and Packet Drop Rates ..................15 ../data/rfc/rfc4828.txt- 4.5.2. Fragmentation and the Path MTU .....................17 -- ../data/rfc/rfc4828.txt- receiving the same packet drop rate. ../data/rfc/rfc4828.txt- ../data/rfc/rfc4828.txt- Simulations showing TCP, standard TFRC, and TFRC-SP sending rates in ../data/rfc/rfc4828.txt- response to a configured byte drop rate are given in Appendix B.2. ../data/rfc/rfc4828.txt- ../data/rfc/rfc4828.txt:4.2. Accounting for Header Size ../data/rfc/rfc4828.txt- ../data/rfc/rfc4828.txt- [RFC3714] makes the optimistic assumption that the limitation of the ../data/rfc/rfc4828.txt- network is in bandwidth in bytes per second (Bps), and not in CPU ../data/rfc/rfc4828.txt- cycles or in packets per second (pps). However, some attention must ../data/rfc/rfc4828.txt- be paid to the load in pps as well as to the load in Bps. Even aside -- ../data/rfc/rfc7296.txt- included in the two messages following the one containing the EAP ../data/rfc/rfc7296.txt- Success message. ../data/rfc/rfc7296.txt- ../data/rfc/rfc7296.txt- When the initiator authentication uses EAP, it is possible that the ../data/rfc/rfc7296.txt- contents of the IDi payload is used only for Authentication, ../data/rfc/rfc7296.txt: Authorization, and Accounting (AAA) routing purposes and selecting ../data/rfc/rfc7296.txt- which EAP method to use. This value may be different from the ../data/rfc/rfc7296.txt- identity authenticated by the EAP method. It is important that ../data/rfc/rfc7296.txt- policy lookups and access control decisions use the actual ../data/rfc/rfc7296.txt- authenticated identity. Often the EAP server is implemented in a ../data/rfc/rfc7296.txt- separate AAA server that communicates with the IKEv2 responder. In -- ../data/rfc/rfc7055.txt- methods are in wide use; one of EAP's strengths is that for most ../data/rfc/rfc7055.txt- types of credentials in common use, there is an EAP method that ../data/rfc/rfc7055.txt- permits the credential to be used. ../data/rfc/rfc7055.txt- ../data/rfc/rfc7055.txt- EAP is often used in conjunction with a backend Authentication, ../data/rfc/rfc7055.txt: Authorization and Accounting (AAA) server via RADIUS [RFC3579] or ../data/rfc/rfc7055.txt- Diameter [RFC4072]. In this mode, the Network Access Server (NAS) ../data/rfc/rfc7055.txt- simply tunnels EAP packets over the backend authentication protocol ../data/rfc/rfc7055.txt- to a home EAP/AAA server for the client. After EAP succeeds, the ../data/rfc/rfc7055.txt- backend authentication protocol is used to communicate key material ../data/rfc/rfc7055.txt- to the NAS. In this mode, the NAS need not be aware of or have any -- ../data/rfc/rfc5969.txt- and could be disruptive. As such, it is recommended that the service ../data/rfc/rfc5969.txt- provider assign CE IPv4 addresses with relatively long lifetimes. ../data/rfc/rfc5969.txt- ../data/rfc/rfc5969.txt- 6rd IPv6 address assignment, and hence the IPv6 service itself, is ../data/rfc/rfc5969.txt- tied to the IPv4 address lease; thus, the 6rd service is also tied to ../data/rfc/rfc5969.txt: this in terms of authorization, accounting, etc. For example, the ../data/rfc/rfc5969.txt- 6rd delegated prefix has the same lifetime as its associated IPv4 ../data/rfc/rfc5969.txt- address. The prefix lifetimes advertised in Router Advertisements or ../data/rfc/rfc5969.txt- used by DHCP on the CE LAN side MUST be equal to or shorter than the ../data/rfc/rfc5969.txt- IPv4 address lease time. If the IPv4 lease time is not known, the ../data/rfc/rfc5969.txt- lifetime of the 6rd delegated prefix SHOULD follow the defaults -- ../data/rfc/rfc542.txt- the first command transmitted by the user after the TELNET ../data/rfc/rfc542.txt- connections are made (some servers may require this). ../data/rfc/rfc542.txt- Additional identification information in the form of a password ../data/rfc/rfc542.txt- and/or an account command may also be required by some servers. ../data/rfc/rfc542.txt- Servers may allow a new USER command to be entered at any point ../data/rfc/rfc542.txt: in order to change the access control and/or accounting ../data/rfc/rfc542.txt- information. This has the effect of flushing any user, ../data/rfc/rfc542.txt- password, and account information already supplied and ../data/rfc/rfc542.txt- beginning the login sequence again. All transfer parameters ../data/rfc/rfc542.txt- are unchanged and any file transfer in progress is completed ../data/rfc/rfc542.txt- under the old acccount. -- ../data/rfc/rfc542.txt- ../data/rfc/rfc542.txt- Change Working Directory (XCWD) ../data/rfc/rfc542.txt- ../data/rfc/rfc542.txt- This command allows the user to work with a different directory ../data/rfc/rfc542.txt- or dataset for file storage or retrieval without altering his ../data/rfc/rfc542.txt: login or accounting information. Transfer parameters are ../data/rfc/rfc542.txt- similarly unchanged. The argument is a pathname specifying a ../data/rfc/rfc542.txt- directory or other system dependent file group designator. ../data/rfc/rfc542.txt- ../data/rfc/rfc542.txt- FTP REPLIES ../data/rfc/rfc542.txt- -- ../data/rfc/rfc8869.txt- behavior of end-to-end real-time multimedia congestion control. ../data/rfc/rfc8869.txt- ../data/rfc/rfc8869.txt- Unless otherwise mentioned, the test cases in this section choose the ../data/rfc/rfc8869.txt- PHY- and MAC-layer parameters based on the IEEE 802.11n standard. ../data/rfc/rfc8869.txt- Statistics collected from enterprise Wi-Fi networks show that the two ../data/rfc/rfc8869.txt: dominant physical modes are 802.11n and 802.11ac, accounting for 41% ../data/rfc/rfc8869.txt- and 58% of connected devices, respectively. As Wi-Fi standards ../data/rfc/rfc8869.txt- evolve over time -- for instance, with the introduction of the ../data/rfc/rfc8869.txt- emerging Wi-Fi 6 (based on IEEE 802.11ax) products -- the PHY- and ../data/rfc/rfc8869.txt- MAC-layer test case specifications need to be updated accordingly to ../data/rfc/rfc8869.txt- reflect such changes. -- ../data/rfc/rfc5515.txt- ../data/rfc/rfc5515.txt- The L2TP AVPs defined in this document MAY be used with either an ../data/rfc/rfc5515.txt- L2TPv2 [RFC2661] or L2TPv3 [RFC3931] implementation. ../data/rfc/rfc5515.txt- ../data/rfc/rfc5515.txt- The information acquired may be used to provide authentication, ../data/rfc/rfc5515.txt: policy, and accounting functionality. It may also be collected and ../data/rfc/rfc5515.txt- used for management and troubleshooting purposes. ../data/rfc/rfc5515.txt- ../data/rfc/rfc5515.txt-2. Terminology ../data/rfc/rfc5515.txt- ../data/rfc/rfc5515.txt- The following sections define the usage and meaning of certain -- ../data/rfc/rfc820.txt- 72-149 110-225 Reserved [JBP] ../data/rfc/rfc820.txt- 150 226 Xerox NS IP [59,LLG] ../data/rfc/rfc820.txt- 151 227 Unassigned [JBP] ../data/rfc/rfc820.txt- 152 230 PARC Universal Protocol [4,EAT3] ../data/rfc/rfc820.txt- 153 231 TIP Status Reporting [JGH] ../data/rfc/rfc820.txt: 154 232 TIP Accounting [JGH] ../data/rfc/rfc820.txt- 155 233 Internet Protocol (regular) [33,62,JBP] ../data/rfc/rfc820.txt- 156-158 234-236 Internet Protocol (experimental) [33,62,JBP] ../data/rfc/rfc820.txt- 159-195 237-303 Unassigned [JBP] ../data/rfc/rfc820.txt- 196-255 304-377 Experimental Protocols [JBP] ../data/rfc/rfc820.txt- 248-255 370-377 Network Maintenance [JGH] -- ../data/rfc/rfc2940.txt- copsClientServerType CopsServerEntryType, ../data/rfc/rfc2940.txt- copsClientServerAuthType CopsAuthType, ../data/rfc/rfc2940.txt- copsClientServerLastConnAttempt TimeStamp, ../data/rfc/rfc2940.txt- copsClientState CopsClientState, ../data/rfc/rfc2940.txt- copsClientServerKeepaliveTime TimeInterval, ../data/rfc/rfc2940.txt: copsClientServerAccountingTime TimeInterval, ../data/rfc/rfc2940.txt- copsClientInPkts Counter32, ../data/rfc/rfc2940.txt- copsClientOutPkts Counter32, ../data/rfc/rfc2940.txt- copsClientInErrs Counter32, ../data/rfc/rfc2940.txt- copsClientLastError CopsErrorCode, ../data/rfc/rfc2940.txt- copsClientTcpConnectAttempts Counter32, -- ../data/rfc/rfc2940.txt- A value of zero indicates no keepalive activity is expected." ../data/rfc/rfc2940.txt- REFERENCE ../data/rfc/rfc2940.txt- "RFC 2748 section 3.7, 4.4" ../data/rfc/rfc2940.txt- ::= { copsClientServerCurrentEntry 9 } ../data/rfc/rfc2940.txt- ../data/rfc/rfc2940.txt:copsClientServerAccountingTime OBJECT-TYPE ../data/rfc/rfc2940.txt- SYNTAX TimeInterval ../data/rfc/rfc2940.txt- MAX-ACCESS read-only ../data/rfc/rfc2940.txt- STATUS current ../data/rfc/rfc2940.txt- DESCRIPTION ../data/rfc/rfc2940.txt: "The value of the COPS protocol Accounting timeout, in ../data/rfc/rfc2940.txt- centiseconds, currently in use by this client, as specified ../data/rfc/rfc2940.txt- by the COPS server in the Client-Accept operation. A value ../data/rfc/rfc2940.txt: of zero indicates no accounting activity is to be performed." ../data/rfc/rfc2940.txt- REFERENCE ../data/rfc/rfc2940.txt- "RFC 2748 section 3.7" ../data/rfc/rfc2940.txt- ::= { copsClientServerCurrentEntry 10 } ../data/rfc/rfc2940.txt- ../data/rfc/rfc2940.txt-copsClientInPkts OBJECT-TYPE -- ../data/rfc/rfc2940.txt- OBJECTS { ../data/rfc/rfc2940.txt- copsClientCapabilities, ../data/rfc/rfc2940.txt- copsClientServerTcpPort, copsClientServerType, ../data/rfc/rfc2940.txt- copsClientServerAuthType, copsClientServerLastConnAttempt, ../data/rfc/rfc2940.txt- copsClientState, copsClientServerKeepaliveTime, ../data/rfc/rfc2940.txt: copsClientServerAccountingTime, copsClientInPkts, ../data/rfc/rfc2940.txt- copsClientOutPkts, copsClientInErrs, copsClientLastError, ../data/rfc/rfc2940.txt- copsClientTcpConnectAttempts, copsClientTcpConnectFailures, ../data/rfc/rfc2940.txt- copsClientOpenAttempts, copsClientOpenFailures, ../data/rfc/rfc2940.txt- copsClientErrUnsupportClienttype, ../data/rfc/rfc2940.txt- copsClientErrUnsupportedVersion, copsClientErrLengthMismatch, -- ../data/rfc/rfc216.txt- Center Office, (805) 961- 2261). ../data/rfc/rfc216.txt- ../data/rfc/rfc216.txt-IV. System Access ../data/rfc/rfc216.txt- ../data/rfc/rfc216.txt- The Network user is encouraged to explore the System and is invited ../data/rfc/rfc216.txt: to do so with the following accounting parameters: ../data/rfc/rfc216.txt- ../data/rfc/rfc216.txt- User Number: 196 ../data/rfc/rfc216.txt- Id Number: 57372 ../data/rfc/rfc216.txt- User Name: ARPA ../data/rfc/rfc216.txt- Problem Name: (affiliation)-(name) -- ../data/rfc/rfc5778.txt- This document defines the home agent to the Diameter server ../data/rfc/rfc5778.txt- communication when the mobile node authenticates using the Internet ../data/rfc/rfc5778.txt- Key Exchange v2 protocol with the Extensible Authentication Protocol ../data/rfc/rfc5778.txt- or using the Mobile IPv6 Authentication Protocol. In addition to ../data/rfc/rfc5778.txt- authentication and authorization, the configuration of Mobile IPv6- ../data/rfc/rfc5778.txt: specific parameters and accounting is specified in this document. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-Status of This Memo ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- This is an Internet Standards Track document. ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- 4.3. Mobile IPv6 Session Management ............................11 ../data/rfc/rfc5778.txt- 4.3.1. Session-Termination-Request ........................11 ../data/rfc/rfc5778.txt- 4.3.2. Session-Termination-Answer .........................11 ../data/rfc/rfc5778.txt- 4.3.3. Abort-Session-Request ..............................12 ../data/rfc/rfc5778.txt- 4.3.4. Abort-Session-Answer ...............................12 ../data/rfc/rfc5778.txt: 4.4. Accounting for Mobile IPv6 Services .......................12 ../data/rfc/rfc5778.txt: 4.4.1. Accounting-Request .................................13 ../data/rfc/rfc5778.txt: 4.4.2. Accounting-Answer ..................................13 ../data/rfc/rfc5778.txt- 5. Command Codes ..................................................13 ../data/rfc/rfc5778.txt- 5.1. Command Code for Mobile IPv6 with IKEv2 and EAP ...........13 ../data/rfc/rfc5778.txt- 5.1.1. Diameter-EAP-Request ...............................13 ../data/rfc/rfc5778.txt- 5.1.2. Diameter-EAP-Answer ................................14 ../data/rfc/rfc5778.txt- 5.2. Command Codes for Mobile IPv6 Authentication -- ../data/rfc/rfc5778.txt- 6.16. MIP-Timestamp AVP ........................................25 ../data/rfc/rfc5778.txt- 6.17. QoS-Capability AVP .......................................25 ../data/rfc/rfc5778.txt- 6.18. QoS-Resources AVP ........................................25 ../data/rfc/rfc5778.txt- 6.19. Chargeable-User-Identity AVP .............................25 ../data/rfc/rfc5778.txt- 6.20. MIP6-Auth-Mode AVP .......................................25 ../data/rfc/rfc5778.txt: 6.21. Accounting AVPs ..........................................26 ../data/rfc/rfc5778.txt- 7. Result-Code AVP Values .........................................27 ../data/rfc/rfc5778.txt- 7.1. Success ...................................................27 ../data/rfc/rfc5778.txt- 7.2. Permanent Failures ........................................27 ../data/rfc/rfc5778.txt- 8. AVP Occurrence Tables ..........................................27 ../data/rfc/rfc5778.txt- 8.1. DER, DEA, MIR, and MIA AVP/Command-Code Table .............28 ../data/rfc/rfc5778.txt: 8.2. Coupled Accounting Model AVP Table ........................28 ../data/rfc/rfc5778.txt- 9. IANA Considerations ............................................29 ../data/rfc/rfc5778.txt- 9.1. Command Codes .............................................29 ../data/rfc/rfc5778.txt- 9.2. AVP Codes .................................................29 ../data/rfc/rfc5778.txt- 9.3. Result-Code AVP Values ....................................30 ../data/rfc/rfc5778.txt- 9.4. Application Identifier ....................................30 -- ../data/rfc/rfc5778.txt- mobility in an MN without having to establish an IPsec SA with its ../data/rfc/rfc5778.txt- HA. Providing the collection of home address, HA address, and keying ../data/rfc/rfc5778.txt- material is generally referred to as the Mobile IPv6 bootstrapping ../data/rfc/rfc5778.txt- problem [RFC4640]. The purpose of this specification is to provide ../data/rfc/rfc5778.txt- Diameter support for the interaction between the HA and the ../data/rfc/rfc5778.txt: Authentication, Authorization, and Accounting (AAA) server. This ../data/rfc/rfc5778.txt- specification satisfies the requirements defined in [RFC5637] for the ../data/rfc/rfc5778.txt- bootstrapping problem in the split scenario [RFC5026] and also ../data/rfc/rfc5778.txt- specifies Diameter support for the Authentication Protocol for Mobile ../data/rfc/rfc5778.txt- IPv6 [RFC4285]. The Diameter support defined in this specification ../data/rfc/rfc5778.txt- also applies to Dual Stack Mobile IPv6 [RFC5555]. -- ../data/rfc/rfc5778.txt- Mobile IPv6 parameters. Thus, prior to processing the Mobile IPv6 ../data/rfc/rfc5778.txt- registrations, the HA participates in the authentication of the MN to ../data/rfc/rfc5778.txt- verify the MN's identity. The HA also participates in the Mobile ../data/rfc/rfc5778.txt- IPv6 authorization process involving the Diameter infrastructure. ../data/rfc/rfc5778.txt- The HA, due to its role in traffic forwarding, may also perform ../data/rfc/rfc5778.txt: accounting for the Mobile IPv6 service provided to the MN. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- This document enables the following functionality: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- Authentication: The MN's identity needs to be verified. As a ../data/rfc/rfc5778.txt- Diameter client supporting the new Diameter Mobile IPv6 -- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- authorization decisions. This document defines required AAA ../data/rfc/rfc5778.txt- procedures and requires the HA to support them and to participate ../data/rfc/rfc5778.txt- in this authorization signaling. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: Accounting: For accounting purposes and capacity planning, it is ../data/rfc/rfc5778.txt: required that the HA provides accounting reports to the Diameter ../data/rfc/rfc5778.txt: infrastructure and thus supports the related Diameter accounting ../data/rfc/rfc5778.txt- procedures. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- Session Management: The management of the mobility services may ../data/rfc/rfc5778.txt- require the Diameter server or the HA to terminate the Mobile IPv6 ../data/rfc/rfc5778.txt- service before the binding expires. This document defines -- ../data/rfc/rfc5778.txt- o Mobile IPv6 Authentication Protocol ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- New authentication mechanisms may be added later by separate ../data/rfc/rfc5778.txt- specifications. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: For accounting of Mobile IPv6 services provided to the MN, this ../data/rfc/rfc5778.txt: specification uses the Diameter base protocol accounting defined in ../data/rfc/rfc5778.txt- [RFC3588]. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-2. Terminology ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc5778.txt- document are to be interpreted as described in [RFC2119]. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The Mobile IPv6 bootstrapping terminology is taken from [RFC4640]. ../data/rfc/rfc5778.txt- Additional terminology is defined below: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: Authentication, Authorization, and Accounting (AAA): ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- AAA protocol based on Diameter [RFC3588] with required EAP support ../data/rfc/rfc5778.txt- [RFC4072]. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- Home AAA (AAAH): ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: An authentication, authorization, and accounting server located in ../data/rfc/rfc5778.txt- the user's home network, i.e., in the home realm. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-3. Application Identifiers ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- This specification defines two new Diameter applications and their -- ../data/rfc/rfc5778.txt-Korhonen, et al. Standards Track [Page 6] ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-RFC 5778 Diameter MIPv6: HA-to-AAAH Support February 2010 ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: Mobile IPv6-related accounting information generated by the HA uses ../data/rfc/rfc5778.txt- either the MIP6I or the MIP6A Application Identifier in the case of ../data/rfc/rfc5778.txt: the coupled accounting model. The Diameter Base Accounting ../data/rfc/rfc5778.txt- Application Identifier (value of 3) is used in the case of the split ../data/rfc/rfc5778.txt: accounting model. Refer to Section 4.4 for more information ../data/rfc/rfc5778.txt: regarding the accounting models. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-4. Protocol Description ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-4.1. Support for Mobile IPv6 with IKEv2 and EAP ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- can then indicate the preferred responder type using the appropriate ../data/rfc/rfc5778.txt- IDr payload in the IKE_AUTH message. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- Eventually, when the HA receives a Binding Update (BU), the HA ../data/rfc/rfc5778.txt- authenticates and authorizes the MN. It is RECOMMENDED that the HA ../data/rfc/rfc5778.txt: sends an accounting request message every time it receives a BU. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The procedure described in this specification for the Mobile IPv6 ../data/rfc/rfc5778.txt- Authentication Protocol is only needed for the initially received BU ../data/rfc/rfc5778.txt- for which the HA does not have an existing security association. ../data/rfc/rfc5778.txt- When the HA receives subsequent BUs, they are processed locally in ../data/rfc/rfc5778.txt: the HA. It is RECOMMENDED that the HA sends an accounting request ../data/rfc/rfc5778.txt- message every time it receives a Binding Update. However, the HA MAY ../data/rfc/rfc5778.txt- re-authorize the MN with the Diameter server at any time depending on ../data/rfc/rfc5778.txt- the deployment and the local policy. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- This specification assumes that in the case where Mobile IPv6 -- ../data/rfc/rfc5778.txt-4.3.4. Abort-Session-Answer ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The Abort-Session-Answer (ASA) message [RFC3588] is sent by the home ../data/rfc/rfc5778.txt- agent in response to an ASR message. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt:4.4. Accounting for Mobile IPv6 Services ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: The HA MUST be able act as a Diameter client collecting accounting ../data/rfc/rfc5778.txt- records needed for service control and charging. The HA MUST support ../data/rfc/rfc5778.txt: the accounting procedures (specifically the command codes mentioned ../data/rfc/rfc5778.txt: below) and the Accounting Session State Machine as defined in ../data/rfc/rfc5778.txt- [RFC3588]. The command codes, exchanged between the HA and Diameter ../data/rfc/rfc5778.txt: server for accounting purposes, are provided in the following ../data/rfc/rfc5778.txt- subsections. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The Diameter application design guideline [DIME-APP] defines two ../data/rfc/rfc5778.txt: separate models for accounting: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: Split accounting model: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: According to this model, the accounting messages use the Diameter ../data/rfc/rfc5778.txt: Base Accounting Application Identifier (value of 3). Since ../data/rfc/rfc5778.txt: accounting is treated as an independent application, accounting ../data/rfc/rfc5778.txt- commands may be routed separately from the rest of application ../data/rfc/rfc5778.txt: messages and thus the accounting messages generally end up in a ../data/rfc/rfc5778.txt: central accounting server. Since the Diameter Mobile IPv6 ../data/rfc/rfc5778.txt: application does not define its own unique accounting commands, ../data/rfc/rfc5778.txt- this is the preferred choice, since it permits use of centralized ../data/rfc/rfc5778.txt: accounting for several applications. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: Coupled accounting model: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: In this model, the accounting messages will use either the MIP6I ../data/rfc/rfc5778.txt: or the MIP6A Application Identifiers. This means that accounting ../data/rfc/rfc5778.txt- messages will be routed like any other Mobile IPv6 application ../data/rfc/rfc5778.txt- messages. This requires the Diameter server in charge of Mobile ../data/rfc/rfc5778.txt: IPv6 application to handle the accounting records (e.g., sends ../data/rfc/rfc5778.txt: them to a proper accounting server). ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-Korhonen, et al. Standards Track [Page 12] ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-RFC 5778 Diameter MIPv6: HA-to-AAAH Support February 2010 ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- As mentioned above, the preferred choice is to use the split ../data/rfc/rfc5778.txt: accounting model and thus to choose Diameter Base Accounting ../data/rfc/rfc5778.txt: Application Identifier (value of 3) for accounting messages. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt:4.4.1. Accounting-Request ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: The Accounting-Request command [RFC3588] is sent by the HA to the ../data/rfc/rfc5778.txt: Diameter server to exchange accounting information regarding the MN ../data/rfc/rfc5778.txt- with the Diameter server. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt:4.4.2. Accounting-Answer ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: The Accounting-Answer command [RFC3588] is sent by the Diameter ../data/rfc/rfc5778.txt: server to the HA to acknowledge an Accounting-Request. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-5. Command Codes ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-5.1. Command Code for Mobile IPv6 with IKEv2 and EAP ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- If the Diameter server does not support the Mobile IPv6 ../data/rfc/rfc5778.txt- Authentication Protocol usage mode proposed by the HA, then the ../data/rfc/rfc5778.txt- Diameter server MUST fail the authentication/authorization and MUST ../data/rfc/rfc5778.txt- set the Result-Code AVP to the value of DIAMETER_ERROR_AUTH_MODE. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt:6.21. Accounting AVPs ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- Diameter Mobile IPv6 applications, either MIP6I or MIP6A, are used in ../data/rfc/rfc5778.txt- the case of the coupled account model. Diameter Mobile IPv4 ../data/rfc/rfc5778.txt: application [RFC4004] accounting AVPs are reused in this document. ../data/rfc/rfc5778.txt: The following AVPs SHOULD be included in the accounting request ../data/rfc/rfc5778.txt- message: ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: o Accounting-Input-Octets: Number of octets in IP packets received ../data/rfc/rfc5778.txt- from the mobile node. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: o Accounting-Output-Octets: Number of octets in IP packets sent by ../data/rfc/rfc5778.txt- the mobile node. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: o Accounting-Input-Packets: Number of IP packets received from the ../data/rfc/rfc5778.txt- mobile node. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt: o Accounting-Output-Packets: Number of IP packets sent by the mobile ../data/rfc/rfc5778.txt- node. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- o Acct-Multi-Session-Id: Used to link together multiple related ../data/rfc/rfc5778.txt: accounting sessions, where each session would have a unique ../data/rfc/rfc5778.txt- Session-Id, but the same Acct-Multi-Session-Id AVP. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- o Acct-Session-Time: Indicates the length of the current session in ../data/rfc/rfc5778.txt- seconds. ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- QoS-Capability | 0-1 | 0 | 0-1 | 0 | ../data/rfc/rfc5778.txt- Chargeable-User-Identity | 0-1 | 0-1 | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- MIP6-Auth-Mode | 0 | 0 | 1 | 0 | ../data/rfc/rfc5778.txt- +-----+-----+-----+-----+ ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt:8.2. Coupled Accounting Model AVP Table ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- The table in this section is used to represent which AVPs defined in ../data/rfc/rfc5778.txt: this document are to be present in the Accounting messages, as ../data/rfc/rfc5778.txt- defined in [RFC3588]. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- -- ../data/rfc/rfc5778.txt- +-------------+ ../data/rfc/rfc5778.txt- | Command-Code| ../data/rfc/rfc5778.txt- |------+------+ ../data/rfc/rfc5778.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc5778.txt- -------------------------------------|------+------+ ../data/rfc/rfc5778.txt: Accounting-Input-Octets | 0-1 | 0-1 | ../data/rfc/rfc5778.txt: Accounting-Input-Packets | 0-1 | 0-1 | ../data/rfc/rfc5778.txt: Accounting-Output-Octets | 0-1 | 0-1 | ../data/rfc/rfc5778.txt: Accounting-Output-Packets | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- Acct-Session-Time | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- MIP6-Feature-Vector | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- MIP6-Agent-Info | 0-1 | 0-1 | ../data/rfc/rfc5778.txt- MIP-Mobile-Node-Address | 0-2 | 0-2 | -- ../data/rfc/rfc5778.txt- [RFC5555] Soliman, H., "Mobile IPv6 Support for Dual Stack Hosts ../data/rfc/rfc5778.txt- and Routers", RFC 5555, June 2009. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- [RFC5637] Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., ../data/rfc/rfc5778.txt- and R. Lopez, "Authentication, Authorization, and ../data/rfc/rfc5778.txt: Accounting (AAA) Goals for Mobile IPv6", RFC 5637, ../data/rfc/rfc5778.txt- September 2009. ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt- ../data/rfc/rfc5778.txt-Korhonen, et al. Standards Track [Page 33] -- ../data/rfc/rfc1281.txt- 20510, October 1987. ../data/rfc/rfc1281.txt- ../data/rfc/rfc1281.txt- [16] "Summary of General Legislation Relating to Privacy and Computer ../data/rfc/rfc1281.txt- Security", Appendix 1 of, COMPUTERS and PRIVACY: How the ../data/rfc/rfc1281.txt- Government Obtains, Verifies, Uses and Protects Personal Data, ../data/rfc/rfc1281.txt: GAO/IMTEC-90-70BR, United States General Accounting Office, ../data/rfc/rfc1281.txt- Washington, DC 20548, pp. 36-40, August 1990. ../data/rfc/rfc1281.txt- ../data/rfc/rfc1281.txt- [17] Stout, E., "U.S. Geological Survey System Security Plan - FY ../data/rfc/rfc1281.txt- 1990", U.S. Geological Survey ISD, MS809, Reston, VA, 22092, May ../data/rfc/rfc1281.txt- 1990. -- ../data/rfc/rfc7491.txt- capability. ../data/rfc/rfc7491.txt- ../data/rfc/rfc7491.txt- - Client microflows should not trigger server-layer setup or ../data/rfc/rfc7491.txt- allocation. ../data/rfc/rfc7491.txt- ../data/rfc/rfc7491.txt: - Accounting capabilities should be supported. ../data/rfc/rfc7491.txt- ../data/rfc/rfc7491.txt- - Security mechanisms for authorization of requests and capabilities ../data/rfc/rfc7491.txt- are required. ../data/rfc/rfc7491.txt- ../data/rfc/rfc7491.txt- Other policy-related functionality in the system might include the -- ../data/rfc/rfc1812.txt- an essential part of any router implementation. Although these ../data/rfc/rfc1812.txt- functions do not seem to relate directly to interoperability, they ../data/rfc/rfc1812.txt- are essential to the network manager who must make the router ../data/rfc/rfc1812.txt- interoperate and must track down problems when it doesn't. This ../data/rfc/rfc1812.txt- chapter also includes some discussion of router initialization and of ../data/rfc/rfc1812.txt: facilities to assist network managers in securing and accounting for ../data/rfc/rfc1812.txt- their networks. ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt-10.1 Introduction ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt- The following kinds of activities are included under router O&M: -- ../data/rfc/rfc1812.txt-Baker Standards Track [Page 131] ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt-RFC 1812 Requirements for IP Version 4 Routers June 1995 ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt: (2) Packet Accounting ../data/rfc/rfc1812.txt- ../data/rfc/rfc1812.txt- Vendors should strongly consider providing a system for ../data/rfc/rfc1812.txt- tracking traffic levels between pairs of hosts or networks. ../data/rfc/rfc1812.txt- A mechanism for limiting the collection of this information ../data/rfc/rfc1812.txt- to specific pairs of hosts or networks is also strongly -- ../data/rfc/rfc3000.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc3000.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc3000.txt-ATM-TC-OID Definitions of Textual Conventions and OBJECT- 2514 ../data/rfc/rfc3000.txt- IDENTITIES for ATM Management ../data/rfc/rfc3000.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc3000.txt: and Storage of Accounting Information for ../data/rfc/rfc3000.txt- Connection-Oriented Networks ../data/rfc/rfc3000.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc3000.txt- ../data/rfc/rfc3000.txt- ../data/rfc/rfc3000.txt- ../data/rfc/rfc3000.txt-IETF Standards Track [Page 21] ../data/rfc/rfc3000.txt- -- ../data/rfc/rfc5193.txt-RFC 5193 PANA Framework May 2008 ../data/rfc/rfc5193.txt- ../data/rfc/rfc5193.txt- ../data/rfc/rfc5193.txt- enables the authentication process between the two entities, it is ../data/rfc/rfc5193.txt- only a part of an overall AAA (Authentication, Authorization and ../data/rfc/rfc5193.txt: Accounting) and access control framework. A AAA and access control ../data/rfc/rfc5193.txt- framework using PANA is comprised of four functional entities. ../data/rfc/rfc5193.txt- ../data/rfc/rfc5193.txt- Figure 1 illustrates these functional entities and the interfaces ../data/rfc/rfc5193.txt- (protocols, APIs) among them. ../data/rfc/rfc5193.txt- -- ../data/rfc/rfc7323.txt- calculated by the RTO mechanism in [RFC6298], and the below algorithm ../data/rfc/rfc7323.txt- aims to maintain a similar history as originally intended by ../data/rfc/rfc7323.txt- [RFC6298]. ../data/rfc/rfc7323.txt- ../data/rfc/rfc7323.txt- It is roughly known how many samples a congestion window worth of ../data/rfc/rfc7323.txt: data will yield, not accounting for ACK compression, and ACK losses. ../data/rfc/rfc7323.txt- Such events will result in more history of the path being reflected ../data/rfc/rfc7323.txt- in the final value for RTO, and are uncritical. This modification ../data/rfc/rfc7323.txt- will ensure that a similar amount of time is taken into account for ../data/rfc/rfc7323.txt- the RTO estimation, regardless of how many samples are taken per ../data/rfc/rfc7323.txt- window: -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- This document provides a printer industry standard SNMP MIB for (1) ../data/rfc/rfc2707.txt- monitoring the status and progress of print jobs (2) obtaining ../data/rfc/rfc2707.txt- resource requirements before a job is processed, (3) monitoring ../data/rfc/rfc2707.txt- resource consumption while a job is being processed and (4) ../data/rfc/rfc2707.txt: collecting resource accounting data after the completion of a job. ../data/rfc/rfc2707.txt- This MIB is intended to be implemented (1) in a printer or (2) in a ../data/rfc/rfc2707.txt- server that supports one or more printers. Use of the object set is ../data/rfc/rfc2707.txt- not limited to printing. However, support for services other than ../data/rfc/rfc2707.txt- printing is outside the scope of this Job Monitoring MIB. Future ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- it would be running for a long period of time and may also be ../data/rfc/rfc2707.txt- interested in the jobs that have completed. Finally such a ../data/rfc/rfc2707.txt- program may be used to provide an enhanced console and ../data/rfc/rfc2707.txt- logging capability. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt: 3. Collect resource usage for accounting or system utilization ../data/rfc/rfc2707.txt- purposes that copy the completed job statistics to an ../data/rfc/rfc2707.txt: accounting system. It is recognized that depending on ../data/rfc/rfc2707.txt: accounting programs to copy MIB data during the job-retention ../data/rfc/rfc2707.txt: period is somewhat unreliable, since the accounting program ../data/rfc/rfc2707.txt- may not be running (or may have crashed). Such a program is ../data/rfc/rfc2707.txt- also expected to keep a shadow copy of the entire Job ../data/rfc/rfc2707.txt- Attribute table including completed, canceled, and aborted ../data/rfc/rfc2707.txt- jobs which the program updates on each polling cycle. Such a ../data/rfc/rfc2707.txt- program polls at the rate of the persistence of the Attribute -- ../data/rfc/rfc2707.txt- drawn from the ISO 10175 Document Printing Application (DPA) ../data/rfc/rfc2707.txt- standard [iso-dpa]. For example, PostScript systems use the term ../data/rfc/rfc2707.txt- session for what is called a job in this specification and the ../data/rfc/rfc2707.txt- term job to mean what is called a document in this specification. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt: Accounting Application: The SNMP management application that copies ../data/rfc/rfc2707.txt- job information to some more permanent medium so that another ../data/rfc/rfc2707.txt: application can perform accounting on the data for Accountants, Asset ../data/rfc/rfc2707.txt- Managers, and Capacity Planners use. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Agent: The network entity that accepts SNMP requests from a monitor ../data/rfc/rfc2707.txt: or accounting application and provides access to the instrumentation ../data/rfc/rfc2707.txt- for managing jobs modeled by the management objects defined in the ../data/rfc/rfc2707.txt- Job Monitoring MIB module for a server or a device. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Attribute: A name, value-pair that specifies a job or document ../data/rfc/rfc2707.txt- instruction, a status, or a condition of a job or a document that has -- ../data/rfc/rfc2707.txt- the marker marks on both sides of a sheet in a single pass. Two-up ../data/rfc/rfc2707.txt- printing is the placement of two logical pages on one side of a sheet ../data/rfc/rfc2707.txt- and so is still a single impression. See "page" and "sheet". ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- NOTE - Since impressions include blank sides, it is suggested that ../data/rfc/rfc2707.txt: accounting application implementers consider charging for sheets, ../data/rfc/rfc2707.txt- rather than impressions, possibly using the value of the sides ../data/rfc/rfc2707.txt- attribute to select different charges for one-sided versus two-sided ../data/rfc/rfc2707.txt- printing, since some users may think that impressions don't include ../data/rfc/rfc2707.txt- blank sides. ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Job: A unit of work whose results are expected together without ../data/rfc/rfc2707.txt- interjection of unrelated results. A job contains one or more ../data/rfc/rfc2707.txt- documents. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt: Job Accounting: The activity of a management application of ../data/rfc/rfc2707.txt- accessing the MIB and recording what happens to the job during and ../data/rfc/rfc2707.txt- after the processing of the job. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Job Instruction: An instruction specifying how, when, or where the ../data/rfc/rfc2707.txt- job is to be processed. Job instructions MAY be passed in the job -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- The job submitting client and/or monitoring application monitor jobs ../data/rfc/rfc2707.txt- by communicating directly with an agent that is part of the printer. ../data/rfc/rfc2707.txt- The agent in the printer SHALL keep the job in the Job Monitoring MIB ../data/rfc/rfc2707.txt- as long as the job is in the printer, plus a defined time period ../data/rfc/rfc2707.txt: after the job enters the completed state in which accounting programs ../data/rfc/rfc2707.txt: can copy out the accounting data from the Job Monitoring MIB. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- all end-user ######## SNMP query ../data/rfc/rfc2707.txt- +-------+ +--------+ ---- job submission ../data/rfc/rfc2707.txt- |monitor| | client | ../data/rfc/rfc2707.txt- +---#---+ +--#--+--+ -- ../data/rfc/rfc2707.txt- jobs that the server has submitted to the printer. The Job ../data/rfc/rfc2707.txt- Monitoring MIB agent obtains the required information from the ../data/rfc/rfc2707.txt- printer by a method that is beyond the scope of this document. The ../data/rfc/rfc2707.txt- agent in the server SHALL keep the job in the Job Monitoring MIB in ../data/rfc/rfc2707.txt- the server as long as the job is in the printer, plus a defined time ../data/rfc/rfc2707.txt: period after the job enters the completed state in which accounting ../data/rfc/rfc2707.txt: programs can copy out the accounting data from the Job Monitoring ../data/rfc/rfc2707.txt- MIB. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- all end-user ../data/rfc/rfc2707.txt- +-------+ +----------+ ../data/rfc/rfc2707.txt- |monitor| | client | ######## SNMP query -- ../data/rfc/rfc2707.txt- the document data, or by direct query of the server), in order to ../data/rfc/rfc2707.txt- populate some of the objects the Job Monitoring MIB in the printer. ../data/rfc/rfc2707.txt- The agent in the printer SHALL keep the job in the Job Monitoring MIB ../data/rfc/rfc2707.txt- as long as the job is in the Printer, and longer in order to ../data/rfc/rfc2707.txt- implement the completed state in which monitoring programs can copy ../data/rfc/rfc2707.txt: out the accounting data from the Job Monitoring MIB. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ../data/rfc/rfc2707.txt- + Job Identification attributes (20 - 49 decimal) ../data/rfc/rfc2707.txt- + ../data/rfc/rfc2707.txt- + The following attributes help an end user, a system ../data/rfc/rfc2707.txt: + operator, or an accounting program identify a job. ../data/rfc/rfc2707.txt- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- jobURI(20), OCTET STRING(SIZE(0..63)) ../data/rfc/rfc2707.txt- OCTETS: MULTI-ROW: The job's Universal Resource ../data/rfc/rfc2707.txt- Identifier (URI) [RFC1738]. See IPP [ipp-model] for -- ../data/rfc/rfc2707.txt- no maximum length. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- jobAccountName(21), OCTET STRING(SIZE(0..63)) ../data/rfc/rfc2707.txt- OCTETS: Arbitrary binary information which MAY be coded ../data/rfc/rfc2707.txt- character set data or encrypted data supplied by the ../data/rfc/rfc2707.txt: submitting user for use by accounting services to allocate ../data/rfc/rfc2707.txt- or categorize charges for services provided, such as a ../data/rfc/rfc2707.txt- customer account name or number. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- NOTE: This attribute NEED NOT be printable characters. ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt-RFC 2707 Job Monitoring MIB - V1.0 November 1999 ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- postProcessingFailed 0x8 ../data/rfc/rfc2707.txt: The post-processing agent failed while trying to log accounting ../data/rfc/rfc2707.txt- attributes for the job; therefore the job has been placed into ../data/rfc/rfc2707.txt- the completed state with the jobRetained jmJobStateReasons1 ../data/rfc/rfc2707.txt- object value for a system-defined period of time, so the ../data/rfc/rfc2707.txt- administrator can examine it, resubmit it, etc. ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Configuring this object is implementation-dependent. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- This value SHALL be equal to or greater than the value of ../data/rfc/rfc2707.txt- jmGeneralAttributePersistence. This value SHOULD be at least ../data/rfc/rfc2707.txt: 60 which gives a monitoring or accounting application one ../data/rfc/rfc2707.txt- minute in which to poll for job data." ../data/rfc/rfc2707.txt- DEFVAL { 60 } -- one minute ../data/rfc/rfc2707.txt- ::= { jmGeneralEntry 5 } ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- when the job enters the completed, canceled, or aborted state. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Configuring this object is implementation-dependent. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- This value SHOULD be at least 60 which gives a monitoring or ../data/rfc/rfc2707.txt: accounting application one minute in which to poll for job ../data/rfc/rfc2707.txt- data." ../data/rfc/rfc2707.txt- DEFVAL { 60 } -- one minute ../data/rfc/rfc2707.txt- ::= { jmGeneralEntry 6 } ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- -- ../data/rfc/rfc2707.txt- completes processing, i.e., this value SHALL indicate the total ../data/rfc/rfc2707.txt- usage of this resource made by the job. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- A monitoring application is able to copy this value to a ../data/rfc/rfc2707.txt- suitable longer term storage for later processing as part of an ../data/rfc/rfc2707.txt: accounting system. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Since the agent MAY add attributes representing resources to ../data/rfc/rfc2707.txt- this table while the job is waiting to be processed or being ../data/rfc/rfc2707.txt- processed, which can be a long time before any of the resources ../data/rfc/rfc2707.txt- are actually used, the agent SHALL set the value of the -- ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- Job states are intended to last a user-visible length of time in most ../data/rfc/rfc2707.txt- implementations. However, some jobs may pass through some states in ../data/rfc/rfc2707.txt- zero time in some situations and/or in some implementations. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt: The job model does not specify how accounting and auditing is ../data/rfc/rfc2707.txt: implemented, except to assume that accounting and auditing logs are ../data/rfc/rfc2707.txt- separate from the job life cycle and last longer than job entries in ../data/rfc/rfc2707.txt- the MIB. Jobs in the completed, aborted, or canceled states are not ../data/rfc/rfc2707.txt- logs, since jobs in these states are accessible via SNMP protocol ../data/rfc/rfc2707.txt- operations and SHALL be removed from the Job Monitoring MIB tables ../data/rfc/rfc2707.txt- after a site-settable or implementation-defined period of time. An ../data/rfc/rfc2707.txt: accounting application MAY copy accounting information incrementally ../data/rfc/rfc2707.txt: to an accounting log as a job processes, or MAY be copied while the ../data/rfc/rfc2707.txt- job is in the canceled, aborted, or completed states, depending on ../data/rfc/rfc2707.txt- implementation. The same is true for auditing logs. ../data/rfc/rfc2707.txt- ../data/rfc/rfc2707.txt- The jmJobState object specifies the standard job states. The normal ../data/rfc/rfc2707.txt- job state transitions are shown in the state transition diagram -- ../data/rfc/rfc2799.txt- ../data/rfc/rfc2799.txt-This document provides a printer industry standard SNMP MIB for (1) ../data/rfc/rfc2799.txt-monitoring the status and progress of print jobs (2) obtaining resource ../data/rfc/rfc2799.txt-requirements before a job is processed, (3) monitoring resource ../data/rfc/rfc2799.txt-consumption while a job is being processed and (4) collecting resource ../data/rfc/rfc2799.txt:accounting data after the completion of a job. This memo provides ../data/rfc/rfc2799.txt-information for the Internet community. ../data/rfc/rfc2799.txt- ../data/rfc/rfc2799.txt- ../data/rfc/rfc2799.txt-2706 Eastlake Oct 1999 ECML v1: Field Names for ../data/rfc/rfc2799.txt- E-Commerce -- ../data/rfc/rfc5533.txt-11. Sending ULP Payloads ../data/rfc/rfc5533.txt- ../data/rfc/rfc5533.txt- When there is no context state for the ULID pair on the sender, there ../data/rfc/rfc5533.txt- is no effect on how ULP packets are sent. If the host is using some ../data/rfc/rfc5533.txt- heuristic for determining when to perform a deferred context ../data/rfc/rfc5533.txt: establishment, then the host might need to do some accounting (count ../data/rfc/rfc5533.txt- the number of packets sent and received) even before there is a ULID- ../data/rfc/rfc5533.txt- pair context. ../data/rfc/rfc5533.txt- ../data/rfc/rfc5533.txt- ../data/rfc/rfc5533.txt- -- ../data/rfc/rfc5533.txt- the Next Header value (which might be some function associated with ../data/rfc/rfc5533.txt- the IP endpoint sublayer or a ULP). ../data/rfc/rfc5533.txt- ../data/rfc/rfc5533.txt- If the host is using some heuristic for determining when to perform a ../data/rfc/rfc5533.txt- deferred context establishment, then the host might need to do some ../data/rfc/rfc5533.txt: accounting (count the number of packets sent and received) for ../data/rfc/rfc5533.txt- packets that do not have a Shim6 Extension header and for which there ../data/rfc/rfc5533.txt- is no context. But the need for this depends on what heuristics the ../data/rfc/rfc5533.txt- implementation has chosen. ../data/rfc/rfc5533.txt- ../data/rfc/rfc5533.txt-12.3. Receiving Shim Control Messages -- ../data/rfc/rfc2866.txt-Request for Comments: 2866 Livingston ../data/rfc/rfc2866.txt-Category: Informational June 2000 ../data/rfc/rfc2866.txt-Obsoletes: 2139 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: RADIUS Accounting ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Status of this Memo ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc2866.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Abstract ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This document describes a protocol for carrying accounting ../data/rfc/rfc2866.txt: information between a Network Access Server and a shared Accounting ../data/rfc/rfc2866.txt- Server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Implementation Note ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This memo documents the RADIUS Accounting protocol. The early ../data/rfc/rfc2866.txt: deployment of RADIUS Accounting was done using UDP port number 1646, ../data/rfc/rfc2866.txt- which conflicts with the "sa-msg-port" service. The officially ../data/rfc/rfc2866.txt: assigned port number for RADIUS Accounting is 1813. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Table of Contents ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 1. Introduction .................................... 2 ../data/rfc/rfc2866.txt- 1.1 Specification of Requirements ................. 3 ../data/rfc/rfc2866.txt- 1.2 Terminology ................................... 3 ../data/rfc/rfc2866.txt- 2. Operation ....................................... 4 ../data/rfc/rfc2866.txt- 2.1 Proxy ......................................... 4 ../data/rfc/rfc2866.txt- 3. Packet Format ................................... 5 ../data/rfc/rfc2866.txt- 4. Packet Types ................................... 7 ../data/rfc/rfc2866.txt: 4.1 Accounting-Request ............................ 8 ../data/rfc/rfc2866.txt: 4.2 Accounting-Response ........................... 9 ../data/rfc/rfc2866.txt- 5. Attributes ...................................... 10 ../data/rfc/rfc2866.txt- 5.1 Acct-Status-Type .............................. 12 ../data/rfc/rfc2866.txt- 5.2 Acct-Delay-Time ............................... 13 ../data/rfc/rfc2866.txt- 5.3 Acct-Input-Octets ............................. 14 ../data/rfc/rfc2866.txt- 5.4 Acct-Output-Octets ............................ 15 -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 1] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 5.6 Acct-Authentic ................................ 16 ../data/rfc/rfc2866.txt- 5.7 Acct-Session-Time ............................. 17 ../data/rfc/rfc2866.txt- 5.8 Acct-Input-Packets ............................ 18 -- ../data/rfc/rfc2866.txt-1. Introduction ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2866.txt- users can create the need for significant administrative support. ../data/rfc/rfc2866.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2866.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2866.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2866.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2866.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2866.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The RADIUS (Remote Authentication Dial In User Service) document [2] ../data/rfc/rfc2866.txt- specifies the RADIUS protocol used for Authentication and ../data/rfc/rfc2866.txt- Authorization. This memo extends the use of the RADIUS protocol to ../data/rfc/rfc2866.txt: cover delivery of accounting information from the Network Access ../data/rfc/rfc2866.txt: Server (NAS) to a RADIUS accounting server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This document obsoletes RFC 2139 [1]. A summary of the changes ../data/rfc/rfc2866.txt- between this document and RFC 2139 is available in the "Change Log" ../data/rfc/rfc2866.txt- appendix. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Key features of RADIUS Accounting are: ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Client/Server Model ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A Network Access Server (NAS) operates as a client of the ../data/rfc/rfc2866.txt: RADIUS accounting server. The client is responsible for ../data/rfc/rfc2866.txt: passing user accounting information to a designated RADIUS ../data/rfc/rfc2866.txt: accounting server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 2] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The RADIUS accounting server is responsible for receiving the ../data/rfc/rfc2866.txt: accounting request and returning a response to the client ../data/rfc/rfc2866.txt- indicating that it has successfully received the request. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The RADIUS accounting server can act as a proxy client to ../data/rfc/rfc2866.txt: other kinds of accounting servers. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Network Security ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Transactions between the client and RADIUS accounting server ../data/rfc/rfc2866.txt- are authenticated through the use of a shared secret, which is ../data/rfc/rfc2866.txt- never sent over the network. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Extensible Protocol ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- constitutes a session, with the beginning of the session ../data/rfc/rfc2866.txt- defined as the point where service is first provided and ../data/rfc/rfc2866.txt- the end of the session defined as the point where service ../data/rfc/rfc2866.txt- is ended. A user may have multiple sessions in parallel or ../data/rfc/rfc2866.txt- series if the NAS supports that, with each session ../data/rfc/rfc2866.txt: generating a separate start and stop accounting record with ../data/rfc/rfc2866.txt- its own Acct-Session-Id. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- silently discard ../data/rfc/rfc2866.txt- This means the implementation discards the packet without ../data/rfc/rfc2866.txt- further processing. The implementation SHOULD provide the -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 3] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-2. Operation ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: When a client is configured to use RADIUS Accounting, at the start of ../data/rfc/rfc2866.txt: service delivery it will generate an Accounting Start packet ../data/rfc/rfc2866.txt- describing the type of service being delivered and the user it is ../data/rfc/rfc2866.txt: being delivered to, and will send that to the RADIUS Accounting ../data/rfc/rfc2866.txt- server, which will send back an acknowledgement that the packet has ../data/rfc/rfc2866.txt- been received. At the end of service delivery the client will ../data/rfc/rfc2866.txt: generate an Accounting Stop packet describing the type of service ../data/rfc/rfc2866.txt- that was delivered and optionally statistics such as elapsed time, ../data/rfc/rfc2866.txt- input and output octets, or input and output packets. It will send ../data/rfc/rfc2866.txt: that to the RADIUS Accounting server, which will send back an ../data/rfc/rfc2866.txt- acknowledgement that the packet has been received. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The Accounting-Request (whether for Start or Stop) is submitted to ../data/rfc/rfc2866.txt: the RADIUS accounting server via the network. It is recommended that ../data/rfc/rfc2866.txt: the client continue attempting to send the Accounting-Request packet ../data/rfc/rfc2866.txt- until it receives an acknowledgement, using some form of backoff. If ../data/rfc/rfc2866.txt- no response is returned within a length of time, the request is re- ../data/rfc/rfc2866.txt- sent a number of times. The client can also forward requests to an ../data/rfc/rfc2866.txt- alternate server or servers in the event that the primary server is ../data/rfc/rfc2866.txt- down or unreachable. An alternate server can be used either after a ../data/rfc/rfc2866.txt- number of tries to the primary server fail, or in a round-robin ../data/rfc/rfc2866.txt- fashion. Retry and fallback algorithms are the topic of current ../data/rfc/rfc2866.txt- research and are not specified in detail in this document. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The RADIUS accounting server MAY make requests of other servers in ../data/rfc/rfc2866.txt- order to satisfy the request, in which case it acts as a client. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: If the RADIUS accounting server is unable to successfully record the ../data/rfc/rfc2866.txt: accounting packet it MUST NOT send an Accounting-Response ../data/rfc/rfc2866.txt- acknowledgment to the client. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-2.1. Proxy ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- See the "RADIUS" RFC [2] for information on Proxy RADIUS. Proxy ../data/rfc/rfc2866.txt: Accounting RADIUS works the same way, as illustrated by the following ../data/rfc/rfc2866.txt- example. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 1. The NAS sends an accounting-request to the forwarding server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 2. The forwarding server logs the accounting-request (if desired), ../data/rfc/rfc2866.txt- adds its Proxy-State (if desired) after any other Proxy-State ../data/rfc/rfc2866.txt- attributes, updates the Request Authenticator, and forwards the ../data/rfc/rfc2866.txt- request to the remote server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 4] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 3. The remote server logs the accounting-request (if desired), ../data/rfc/rfc2866.txt- copies all Proxy-State attributes in order and unmodified from ../data/rfc/rfc2866.txt: the request to the response packet, and sends the accounting- ../data/rfc/rfc2866.txt- response to the forwarding server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 4. The forwarding server strips the last Proxy-State (if it added ../data/rfc/rfc2866.txt- one in step 2), updates the Response Authenticator and sends ../data/rfc/rfc2866.txt: the accounting-response to the NAS. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A forwarding server MUST not modify existing Proxy-State or Class ../data/rfc/rfc2866.txt- attributes present in the packet. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A forwarding server may either perform its forwarding function in a -- ../data/rfc/rfc2866.txt- takes responsibility for retransmissions so that its retransmission ../data/rfc/rfc2866.txt- policy is robust and scalable. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-3. Packet Format ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Exactly one RADIUS Accounting packet is encapsulated in the UDP Data ../data/rfc/rfc2866.txt- field [4], where the UDP Destination Port field indicates 1813 ../data/rfc/rfc2866.txt- (decimal). ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- When a reply is generated, the source and destination ports are ../data/rfc/rfc2866.txt- reversed. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This memo documents the RADIUS Accounting protocol. The early ../data/rfc/rfc2866.txt: deployment of RADIUS Accounting was done using UDP port number 1646, ../data/rfc/rfc2866.txt- which conflicts with the "sa-msg-port" service. The officially ../data/rfc/rfc2866.txt: assigned port number for RADIUS Accounting is 1813. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the RADIUS data format is shown below. The fields are ../data/rfc/rfc2866.txt- transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 5] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Code field is one octet, and identifies the type of RADIUS ../data/rfc/rfc2866.txt- packet. When a packet is received with an invalid Code field, it ../data/rfc/rfc2866.txt- is silently discarded. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: RADIUS Accounting Codes (decimal) are assigned as follows: ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 4 Accounting-Request ../data/rfc/rfc2866.txt: 5 Accounting-Response ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Identifier ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Identifier field is one octet, and aids in matching requests ../data/rfc/rfc2866.txt- and replies. The RADIUS server can detect a duplicate request if -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Authenticator ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Authenticator field is sixteen (16) octets. The most ../data/rfc/rfc2866.txt- significant octet is transmitted first. This value is used to ../data/rfc/rfc2866.txt: authenticate the messages between the client and RADIUS accounting ../data/rfc/rfc2866.txt- server. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 6] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Request Authenticator ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: In Accounting-Request Packets, the Authenticator value is a 16 ../data/rfc/rfc2866.txt- octet MD5 [5] checksum, called the Request Authenticator. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The NAS and RADIUS accounting server share a secret. The Request ../data/rfc/rfc2866.txt: Authenticator field in Accounting-Request packets contains a one- ../data/rfc/rfc2866.txt- way MD5 hash calculated over a stream of octets consisting of the ../data/rfc/rfc2866.txt- Code + Identifier + Length + 16 zero octets + request attributes + ../data/rfc/rfc2866.txt- shared secret (where + indicates concatenation). The 16 octet MD5 ../data/rfc/rfc2866.txt- hash value is stored in the Authenticator field of the ../data/rfc/rfc2866.txt: Accounting-Request packet. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Note that the Request Authenticator of an Accounting-Request can ../data/rfc/rfc2866.txt- not be done the same way as the Request Authenticator of a RADIUS ../data/rfc/rfc2866.txt- Access-Request, because there is no User-Password attribute in an ../data/rfc/rfc2866.txt: Accounting-Request. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Response Authenticator ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The Authenticator field in an Accounting-Response packet is called ../data/rfc/rfc2866.txt- the Response Authenticator, and contains a one-way MD5 hash ../data/rfc/rfc2866.txt: calculated over a stream of octets consisting of the Accounting- ../data/rfc/rfc2866.txt- Response Code, Identifier, Length, the Request Authenticator field ../data/rfc/rfc2866.txt: from the Accounting-Request packet being replied to, and the ../data/rfc/rfc2866.txt- response attributes if any, followed by the shared secret. The ../data/rfc/rfc2866.txt- resulting 16 octet MD5 hash value is stored in the Authenticator ../data/rfc/rfc2866.txt: field of the Accounting-Response packet. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Attributes ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Attributes may have multiple instances, in such a case the order ../data/rfc/rfc2866.txt- of attributes of the same type SHOULD be preserved. The order of -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 7] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:4.1. Accounting-Request ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Accounting-Request packets are sent from a client (typically a ../data/rfc/rfc2866.txt: Network Access Server or its proxy) to a RADIUS accounting server, ../data/rfc/rfc2866.txt: and convey information used to provide accounting for a service ../data/rfc/rfc2866.txt- provided to a user. The client transmits a RADIUS packet with the ../data/rfc/rfc2866.txt: Code field set to 4 (Accounting-Request). ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Upon receipt of an Accounting-Request, the server MUST transmit an ../data/rfc/rfc2866.txt: Accounting-Response reply if it successfully records the ../data/rfc/rfc2866.txt: accounting packet, and MUST NOT transmit any reply if it fails to ../data/rfc/rfc2866.txt: record the accounting packet. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Any attribute valid in a RADIUS Access-Request or Access-Accept ../data/rfc/rfc2866.txt: packet is valid in a RADIUS Accounting-Request packet, except that ../data/rfc/rfc2866.txt: the following attributes MUST NOT be present in an Accounting- ../data/rfc/rfc2866.txt- Request: User-Password, CHAP-Password, Reply-Message, State. ../data/rfc/rfc2866.txt- Either NAS-IP-Address or NAS-Identifier MUST be present in a ../data/rfc/rfc2866.txt: RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- ../data/rfc/rfc2866.txt- Port-Type attribute or both unless the service does not involve a ../data/rfc/rfc2866.txt- port or the NAS does not distinguish among its ports. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: If the Accounting-Request packet includes a Framed-IP-Address, ../data/rfc/rfc2866.txt- that attribute MUST contain the IP address of the user. If the ../data/rfc/rfc2866.txt- Access-Accept used the special values for Framed-IP-Address ../data/rfc/rfc2866.txt- telling the NAS to assign or negotiate an IP address for the user, ../data/rfc/rfc2866.txt: the Framed-IP-Address (if any) in the Accounting-Request MUST ../data/rfc/rfc2866.txt- contain the actual IP address assigned or negotiated. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: A summary of the Accounting-Request packet format is shown below. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 8] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Code ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 4 for Accounting-Request. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Identifier ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Identifier field MUST be changed whenever the content of the ../data/rfc/rfc2866.txt- Attributes field changes, and whenever a valid reply has been ../data/rfc/rfc2866.txt- received for a previous request. For retransmissions where the ../data/rfc/rfc2866.txt- contents are identical, the Identifier MUST remain unchanged. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Note that if Acct-Delay-Time is included in the attributes of an ../data/rfc/rfc2866.txt: Accounting-Request then the Acct-Delay-Time value will be updated ../data/rfc/rfc2866.txt- when the packet is retransmitted, changing the content of the ../data/rfc/rfc2866.txt- Attributes field and requiring a new Identifier and Request ../data/rfc/rfc2866.txt- Authenticator. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Request Authenticator ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The Request Authenticator of an Accounting-Request contains a 16-octet ../data/rfc/rfc2866.txt- MD5 hash value calculated according to the method described in ../data/rfc/rfc2866.txt- "Request Authenticator" above. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Attributes ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Attributes field is variable in length, and contains a list of ../data/rfc/rfc2866.txt- Attributes. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:4.2. Accounting-Response ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: Accounting-Response packets are sent by the RADIUS accounting ../data/rfc/rfc2866.txt: server to the client to acknowledge that the Accounting-Request ../data/rfc/rfc2866.txt: has been received and recorded successfully. If the Accounting- ../data/rfc/rfc2866.txt: Request was recorded successfully then the RADIUS accounting ../data/rfc/rfc2866.txt- server MUST transmit a packet with the Code field set to 5 ../data/rfc/rfc2866.txt: (Accounting-Response). On reception of an Accounting-Response by ../data/rfc/rfc2866.txt- the client, the Identifier field is matched with a pending ../data/rfc/rfc2866.txt: Accounting-Request. The Response Authenticator field MUST contain ../data/rfc/rfc2866.txt: the correct response for the pending Accounting-Request. Invalid ../data/rfc/rfc2866.txt- packets are silently discarded. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: A RADIUS Accounting-Response is not required to have any ../data/rfc/rfc2866.txt- attributes in it. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: A summary of the Accounting-Response packet format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 9] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2866.txt- | Attributes ... ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Code ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: 5 for Accounting-Response. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Identifier ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Identifier field is a copy of the Identifier field of the ../data/rfc/rfc2866.txt: Accounting-Request which caused this Accounting-Response. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Response Authenticator ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: The Response Authenticator of an Accounting-Response contains a ../data/rfc/rfc2866.txt- 16-octet MD5 hash value calculated according to the method ../data/rfc/rfc2866.txt- described in "Response Authenticator" above. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Attributes ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- zero or more Attributes. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5. Attributes ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- RADIUS Attributes carry the specific authentication, authorization ../data/rfc/rfc2866.txt: and accounting details for the request and response. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Some attributes MAY be included more than once. The effect of this ../data/rfc/rfc2866.txt- is attribute specific, and is specified in each attribute ../data/rfc/rfc2866.txt- description. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 10] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Length ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Length field is one octet, and indicates the length of this ../data/rfc/rfc2866.txt- attribute including the Type, Length and Value fields. If an ../data/rfc/rfc2866.txt: attribute is received in an Accounting-Request with an invalid ../data/rfc/rfc2866.txt- Length, the entire request MUST be silently discarded. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Value ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Value field is zero or more octets and contains information -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 11] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- [7] characters and String contains 8-bit binary data. Servers and ../data/rfc/rfc2866.txt- servers and clients MUST be able to deal with embedded nulls. ../data/rfc/rfc2866.txt- RADIUS implementers using C are cautioned not to use strcpy() when -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.1. Acct-Status-Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This attribute indicates whether this Accounting-Request marks the ../data/rfc/rfc2866.txt- beginning of the user service (Start) or the end (Stop). ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: It MAY be used by the client to mark the start of accounting (for ../data/rfc/rfc2866.txt: example, upon booting) by specifying Accounting-On and to mark the ../data/rfc/rfc2866.txt: end of accounting (for example, just before a scheduled reboot) by ../data/rfc/rfc2866.txt: specifying Accounting-Off. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Status-Type attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 12] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 40 for Acct-Status-Type. -- ../data/rfc/rfc2866.txt- The Value field is four octets. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 1 Start ../data/rfc/rfc2866.txt- 2 Stop ../data/rfc/rfc2866.txt- 3 Interim-Update ../data/rfc/rfc2866.txt: 7 Accounting-On ../data/rfc/rfc2866.txt: 8 Accounting-Off ../data/rfc/rfc2866.txt: 9-14 Reserved for Tunnel Accounting ../data/rfc/rfc2866.txt- 15 Reserved for Failed ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.2. Acct-Delay-Time ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many seconds the client has been ../data/rfc/rfc2866.txt- trying to send this record for, and can be subtracted from the ../data/rfc/rfc2866.txt- time of arrival on the server to find the approximate time of the ../data/rfc/rfc2866.txt: event generating this Accounting-Request. (Network transit time ../data/rfc/rfc2866.txt- is ignored.) ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Note that changing the Acct-Delay-Time causes the Identifier to ../data/rfc/rfc2866.txt- change; see the discussion under Identifier above. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 13] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 41 for Acct-Delay-Time. -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many octets have been received from ../data/rfc/rfc2866.txt- the port over the course of this service being provided, and can ../data/rfc/rfc2866.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2866.txt- Status-Type is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Input-Octets attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 14] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.4. Acct-Output-Octets ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many octets have been sent to the ../data/rfc/rfc2866.txt- port in the course of delivering this service, and can only be ../data/rfc/rfc2866.txt: present in Accounting-Request records where the Acct-Status-Type ../data/rfc/rfc2866.txt- is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Output-Octets attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.5. Acct-Session-Id ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This attribute is a unique Accounting ID to make it easy to match ../data/rfc/rfc2866.txt- start and stop records in a log file. The start and stop records ../data/rfc/rfc2866.txt- for a given session MUST have the same Acct-Session-Id. An ../data/rfc/rfc2866.txt: Accounting-Request packet MUST have an Acct-Session-Id. An ../data/rfc/rfc2866.txt- Access-Request packet MAY have an Acct-Session-Id; if it does, ../data/rfc/rfc2866.txt: then the NAS MUST use the same Acct-Session-Id in the Accounting- ../data/rfc/rfc2866.txt- Request packets for that session. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] ../data/rfc/rfc2866.txt- characters. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 15] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- For example, one implementation uses a string with an 8-digit ../data/rfc/rfc2866.txt- upper case hexadecimal number, the first two digits increment on ../data/rfc/rfc2866.txt- each reboot (wrapping every 256 reboots) and the next 6 digits -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.6. Acct-Authentic ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This attribute MAY be included in an Accounting-Request to ../data/rfc/rfc2866.txt- indicate how the user was authenticated, whether by RADIUS, the ../data/rfc/rfc2866.txt- NAS itself, or another remote authentication protocol. Users who ../data/rfc/rfc2866.txt- are delivered service without being authenticated SHOULD NOT ../data/rfc/rfc2866.txt: generate Accounting records. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Authentic attribute format is shown below. The ../data/rfc/rfc2866.txt- fields are transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 16] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 45 for Acct-Authentic. -- ../data/rfc/rfc2866.txt-5.7. Acct-Session-Time ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many seconds the user has received ../data/rfc/rfc2866.txt: service for, and can only be present in Accounting-Request records ../data/rfc/rfc2866.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Session-Time attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 17] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.8. Acct-Input-Packets ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many packets have been received from ../data/rfc/rfc2866.txt- the port over the course of this service being provided to a ../data/rfc/rfc2866.txt: Framed User, and can only be present in Accounting-Request records ../data/rfc/rfc2866.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Input-packets attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how many packets have been sent to the ../data/rfc/rfc2866.txt- port in the course of delivering this service to a Framed User, ../data/rfc/rfc2866.txt: and can only be present in Accounting-Request records where the ../data/rfc/rfc2866.txt- Acct-Status-Type is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Output-Packets attribute format is shown below. ../data/rfc/rfc2866.txt- The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 18] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2866.txt-5.10. Acct-Terminate-Cause ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute indicates how the session was terminated, and can ../data/rfc/rfc2866.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2866.txt- Status-Type is set to Stop. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Terminate-Cause attribute format is shown ../data/rfc/rfc2866.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 19] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 49 for Acct-Terminate-Cause -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 20] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Admin Reboot Administrator is ending service on the NAS, ../data/rfc/rfc2866.txt- for example prior to rebooting the NAS. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.11. Acct-Multi-Session-Id ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: This attribute is a unique Accounting ID to make it easy to link ../data/rfc/rfc2866.txt- together multiple related sessions in a log file. Each session ../data/rfc/rfc2866.txt- linked together would have a unique Acct-Session-Id but the same ../data/rfc/rfc2866.txt- Acct-Multi-Session-Id. It is strongly recommended that the Acct- ../data/rfc/rfc2866.txt- Multi-Session-Id contain UTF-8 encoded 10646 [7] characters. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 21] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 ../data/rfc/rfc2866.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 ../data/rfc/rfc2866.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2866.txt-5.12. Acct-Link-Count ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Description ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- This attribute gives the count of links which are known to have been ../data/rfc/rfc2866.txt: in a given multilink session at the time the accounting record is ../data/rfc/rfc2866.txt- generated. The NAS MAY include the Acct-Link-Count attribute in any ../data/rfc/rfc2866.txt: Accounting-Request which might have multiple links. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- A summary of the Acct-Link-Count attribute format is show below. The ../data/rfc/rfc2866.txt- fields are transmitted from left to right. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 1 2 3 -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 22] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Type ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 51 for Acct-Link-Count. -- ../data/rfc/rfc2866.txt- Value ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The Value field is four octets, and contains the number of links ../data/rfc/rfc2866.txt- seen so far in this Multilink Session. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: It may be used to make it easier for an accounting server to know ../data/rfc/rfc2866.txt- when it has all the records for a given Multilink session. When ../data/rfc/rfc2866.txt: the number of Accounting-Requests received with Acct-Status-Type = ../data/rfc/rfc2866.txt- Stop and the same Acct-Multi-Session-Id and unique Acct-Session- ../data/rfc/rfc2866.txt- Id's equals the largest value of Acct-Link-Count seen in those ../data/rfc/rfc2866.txt: Accounting-Requests, all Stop Accounting-Requests for that ../data/rfc/rfc2866.txt- Multilink Session have been received. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: An example showing 8 Accounting-Requests should make things ../data/rfc/rfc2866.txt- clearer. For clarity only the relevant attributes are shown, but ../data/rfc/rfc2866.txt: additional attributes containing accounting information will also ../data/rfc/rfc2866.txt: be present in the Accounting-Request. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Multi-Session-Id Session-Id Status-Type Link-Count ../data/rfc/rfc2866.txt- "10" "10" Start 1 ../data/rfc/rfc2866.txt- "10" "11" Start 2 ../data/rfc/rfc2866.txt- "10" "11" Stop 2 -- ../data/rfc/rfc2866.txt- "10" "10" Stop 4 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-5.13. Table of Attributes ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc2866.txt: in Accounting-Request packets. No attributes should be found in ../data/rfc/rfc2866.txt: Accounting-Response packets except Proxy-State and possibly Vendor- ../data/rfc/rfc2866.txt- Specific. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- # Attribute ../data/rfc/rfc2866.txt- 0-1 User-Name -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 23] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0-1 NAS-IP-Address [Note 1] ../data/rfc/rfc2866.txt- 0-1 NAS-Port ../data/rfc/rfc2866.txt- 0-1 Service-Type -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 24] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0-1 NAS-Port-Type ../data/rfc/rfc2866.txt- 0-1 Port-Limit ../data/rfc/rfc2866.txt- 0-1 Login-LAT-Port ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: [Note 1] An Accounting-Request MUST contain either a NAS-IP-Address ../data/rfc/rfc2866.txt- or a NAS-Identifier (or both). ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- The following table defines the above table entries. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- 0 This attribute MUST NOT be present -- ../data/rfc/rfc2866.txt- 26 [8]. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-7. Security Considerations ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Security issues are discussed in sections concerning the ../data/rfc/rfc2866.txt: authenticator included in accounting requests and responses, using a ../data/rfc/rfc2866.txt- shared secret which is never sent over the network. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-8. Change Log ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- US-ASCII replaced by UTF-8. -- ../data/rfc/rfc2866.txt- Added notes on Proxy. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Framed-IP-Address should contain the actual IP address of the user. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- If Acct-Session-ID was sent in an access-request, it must be used in ../data/rfc/rfc2866.txt: the accounting-request for that session. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- New values added to Acct-Status-Type. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Added an IANA Considerations section. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 25] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-9. References ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: [1] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- [2] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc2866.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2866.txt- 2000. ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- [8] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA ../data/rfc/rfc2866.txt- Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-10. Acknowledgements ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt: RADIUS and RADIUS Accounting were originally developed by Steve ../data/rfc/rfc2866.txt- Willens of Livingston Enterprises for their PortMaster series of ../data/rfc/rfc2866.txt- Network Access Servers. ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-11. Chair's Address ../data/rfc/rfc2866.txt- -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 26] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-12. Author's Address ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Questions about this memo can also be directed to: -- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-Rigney Informational [Page 27] ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt:RFC 2866 RADIUS Accounting June 2000 ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt-13. Full Copyright Statement ../data/rfc/rfc2866.txt- ../data/rfc/rfc2866.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. -- ../data/rfc/rfc6183.txt- algorithm, and observation information) into appropriate fields in ../data/rfc/rfc6183.txt- the existing Data Records or into Data Records defined by new ../data/rfc/rfc6183.txt- Options Templates. ../data/rfc/rfc6183.txt- ../data/rfc/rfc6183.txt- IPFIX transport protocol conversion can be used to enhance the export ../data/rfc/rfc6183.txt: reliability, for example, for data retention and accounting. In this ../data/rfc/rfc6183.txt- case, the Intermediate Conversion Process covers the following ../data/rfc/rfc6183.txt- functions: ../data/rfc/rfc6183.txt- ../data/rfc/rfc6183.txt- o Relaying Data Records, (Options) Template Records, and Data ../data/rfc/rfc6183.txt- Records defined by Options Templates. -- ../data/rfc/rfc7966.txt- The following terms are also used in this document: ../data/rfc/rfc7966.txt- ../data/rfc/rfc7966.txt- AAA broker ../data/rfc/rfc7966.txt- ../data/rfc/rfc7966.txt- An entity that manages Authentication, Authorization, and ../data/rfc/rfc7966.txt: Accounting (AAA) traffic between roaming partner networks. ../data/rfc/rfc7966.txt- ../data/rfc/rfc7966.txt- AAA broker network ../data/rfc/rfc7966.txt- ../data/rfc/rfc7966.txt- A network operated by a AAA broker, which consists of necessary ../data/rfc/rfc7966.txt- AAA functions to provide AAA brokering services for its customer -- ../data/rfc/rfc1175.txt- attributes on the quality and appropriateness of communication. ../data/rfc/rfc1175.txt- Hard copies may be obtained, for a fee, from: Publications ../data/rfc/rfc1175.txt- Distribution Services, The RAND Corporation, P.O. Box 2138, Santa ../data/rfc/rfc1175.txt- Monica, CA 90406-2138. ../data/rfc/rfc1175.txt- ../data/rfc/rfc1175.txt: U.S. General Accounting Office, Computer Security - Virus Highlights ../data/rfc/rfc1175.txt- Need for Improved Internet Management, 36 pgs., United States General ../data/rfc/rfc1175.txt: Accounting Office, Washington, DC, 1989. ../data/rfc/rfc1175.txt- ../data/rfc/rfc1175.txt: This report (GAO/IMTEC-89-57), by the U.S. Government Accounting ../data/rfc/rfc1175.txt- Office, describes the worm and its effects. It gives a good ../data/rfc/rfc1175.txt- overview of the various U.S. agencies involved in the Internet ../data/rfc/rfc1175.txt- today and their concerns vis-a-vis computer security and ../data/rfc/rfc1175.txt- networking. Available on-line on host nnsc.nsf.net, directory ../data/rfc/rfc1175.txt- pub, filename GAO_RPT; and on nis.nsf.net, directory nsfnet, -- ../data/rfc/rfc3917.txt- 2.3. Metering Process . . . . . . . . . . . . . . . . . . . 4 ../data/rfc/rfc3917.txt- 2.4. Flow Record. . . . . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc3917.txt- 2.5. Exporting Process. . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc3917.txt- 2.6. Collecting Process . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc3917.txt- 3. Applications Requiring IP Flow Information Export . . . . . . 6 ../data/rfc/rfc3917.txt: 3.1. Usage-based Accounting . . . . . . . . . . . . . . . . 6 ../data/rfc/rfc3917.txt- 3.2. Traffic Profiling. . . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc3917.txt- 3.3. Traffic Engineering. . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc3917.txt- 3.4. Attack/Intrusion Detection . . . . . . . . . . . . . . 7 ../data/rfc/rfc3917.txt- 3.5. QoS Monitoring . . . . . . . . . . . . . . . . . . . . 8 ../data/rfc/rfc3917.txt- 4. Distinguishing Flows. . . . . . . . . . . . . . . . . . . . . 8 -- ../data/rfc/rfc3917.txt- significance (required (must), recommended (should), optional (may)) ../data/rfc/rfc3917.txt- could differ for specific implementations and/or for specific ../data/rfc/rfc3917.txt- application scenarios. Therefore we derive the requirements from the ../data/rfc/rfc3917.txt- general functionality of the selected applications. Some particular ../data/rfc/rfc3917.txt- cases will even mandate more stringent requirements than the ones ../data/rfc/rfc3917.txt: defined in this document. For example, usage-based accounting is ../data/rfc/rfc3917.txt- certainly the application that will probably mandate the highest ../data/rfc/rfc3917.txt- degree of reliability amongst the applications discussed below. The ../data/rfc/rfc3917.txt- reliability requirements defined in sections 5.1 and 6.3.2. are not ../data/rfc/rfc3917.txt- sufficient to guarantee the level of reliability that is needed for ../data/rfc/rfc3917.txt: many usage-based accounting systems. Particular reliability ../data/rfc/rfc3917.txt: requirements for accounting systems are discussed in [RFC2975]. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt:3.1. Usage-based Accounting ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- Several new business models for selling IP services and IP-based ../data/rfc/rfc3917.txt- services are currently under investigation. Beyond flat rate ../data/rfc/rfc3917.txt: services which do not need accounting, accounting can be based on ../data/rfc/rfc3917.txt: time or volume. Accounting data can serve as input for billing ../data/rfc/rfc3917.txt: systems. Accounting can be performed per user or per user group, it ../data/rfc/rfc3917.txt- can be performed just for basic IP service or individually per high- ../data/rfc/rfc3917.txt- level service and/or per content type delivered. For advanced/future ../data/rfc/rfc3917.txt: services, accounting may also be performed per class of service, per ../data/rfc/rfc3917.txt- application, per time of day, per (label switched) path used, etc. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- -- ../data/rfc/rfc3917.txt- that anonymization is not originally an application requirement, but ../data/rfc/rfc3917.txt- derived from general requirements for treatment of measured traffic ../data/rfc/rfc3917.txt- data within a network. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- For several applications anonymization cannot be applied, for example ../data/rfc/rfc3917.txt: for accounting and traffic engineering. However, for protecting the ../data/rfc/rfc3917.txt- network user's privacy, anonymization should be applied whenever ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt-Quittek, et al. Informational [Page 18] -- ../data/rfc/rfc3917.txt- public Internet. Therefore it cannot be excluded that an attacker ../data/rfc/rfc3917.txt- captures or modifies packets or inserts additional packets. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- This section describes security requirements for IPFIX. Like other ../data/rfc/rfc3917.txt- requirements, the security requirements differ among the considered ../data/rfc/rfc3917.txt: applications. The incentive to modify collected data for accounting ../data/rfc/rfc3917.txt- or intrusion detection for instance is usually higher than the ../data/rfc/rfc3917.txt- incentive to change data collected for traffic profiling. A detailed ../data/rfc/rfc3917.txt- list of the required security features per application can be found ../data/rfc/rfc3917.txt- in the appendix. ../data/rfc/rfc3917.txt- -- ../data/rfc/rfc3917.txt- extensibility of the IPFIX protocol are sufficient to support ../data/rfc/rfc3917.txt- anonymized flow records when appropriate methods are standardized. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt-10.2. Forgery of Flow Records ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt: If flow records are used in accounting and/or security applications, ../data/rfc/rfc3917.txt- there are potentially strong incentives to forge exported IPFIX flow ../data/rfc/rfc3917.txt- records (for example, to save money or prevent the detection of an ../data/rfc/rfc3917.txt- attack). This can be done either by altering flow records on the ../data/rfc/rfc3917.txt- path or by injecting forged flow records that pretend to be ../data/rfc/rfc3917.txt- originated by the original exporting process. -- ../data/rfc/rfc3917.txt-----------------------------------------------------. | | | ../data/rfc/rfc3917.txt-C: Traffic Engineering | | | | ../data/rfc/rfc3917.txt-----------------------------------------------. | | | | ../data/rfc/rfc3917.txt-B: Traffic Profiling | | | | | ../data/rfc/rfc3917.txt-----------------------------------------. | | | | | ../data/rfc/rfc3917.txt:A: Usage-based Accounting | | | | | | ../data/rfc/rfc3917.txt-----------------------------------. | | | | | | ../data/rfc/rfc3917.txt- | | | | | | | ../data/rfc/rfc3917.txt-| Sect. | Requirement | A | B | C | D | E | IPFIX| ../data/rfc/rfc3917.txt-|-------+-------------------------+-----+-----+-----+-----+-----+------| ../data/rfc/rfc3917.txt-| 4. | DISTINGUISHING FLOWS | -- ../data/rfc/rfc3917.txt- (e) If sampling is supported, sampling configuration changes must ../data/rfc/rfc3917.txt- be indicated to all collecting processes. ../data/rfc/rfc3917.txt- (f) If overload behavior is supported and it induces changes in ../data/rfc/rfc3917.txt- the metering process behavior, the overload behavior must be ../data/rfc/rfc3917.txt- clearly defined. ../data/rfc/rfc3917.txt: (g) Precise time-based accounting requires reaction to a flow ../data/rfc/rfc3917.txt- timeout. ../data/rfc/rfc3917.txt- (h) If a packet is fragmented, each fragment is counted as an ../data/rfc/rfc3917.txt- individual packet. ../data/rfc/rfc3917.txt- (i) If protocol type is ICMP. ../data/rfc/rfc3917.txt- -- ../data/rfc/rfc3917.txt- [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. ../data/rfc/rfc3917.txt- Jacobson, "RTP: A Transport Protocol for Real-Time ../data/rfc/rfc3917.txt- Applications", STD 64, RFC 3550, July 2003. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc3917.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc3917.txt- ../data/rfc/rfc3917.txt- [RFC2702] Awduche, D., Malcolm, J., Agogbua, J., O'Dell, M., and J. ../data/rfc/rfc3917.txt- McManus, "Requirements for Traffic Engineering Over ../data/rfc/rfc3917.txt- MPLS", RFC 2702, September 1999. ../data/rfc/rfc3917.txt- -- ../data/rfc/rfc2724.txt- ../data/rfc/rfc2724.txt- [GUAR-QOS] Shenker, S., Partridge, C. and R. Guerin, "Specification ../data/rfc/rfc2724.txt- of Guaranteed Quality of Service", RFC 2212, September ../data/rfc/rfc2724.txt- 1997. ../data/rfc/rfc2724.txt- ../data/rfc/rfc2724.txt: [IIS-ACCT] Maiocchi, S: "NeTraMet & NeMaC for IIS Accounting: ../data/rfc/rfc2724.txt- Users' Guide", CEFRIEL, Milan, 5 May 1998. (See also ../data/rfc/rfc2724.txt- http://www.cefriel.it/ntw) ../data/rfc/rfc2724.txt- ../data/rfc/rfc2724.txt- [IIS-RSVP] Wroclawski, J., "The Use of RSVP with IETF Integrated ../data/rfc/rfc2724.txt- Services", RFC 2210, September 1997. -- ../data/rfc/rfc6097.txt- be discussed in this document. The approaches discussed do not ../data/rfc/rfc6097.txt- include all possible discovery mechanisms, but are limited to those ../data/rfc/rfc6097.txt- considered to fit most simply into the PMIPv6 environment. ../data/rfc/rfc6097.txt- ../data/rfc/rfc6097.txt- o LMA Address is retrieved from the Authentication, Authorization, ../data/rfc/rfc6097.txt: and Accounting (AAA) infrastructure during the network access ../data/rfc/rfc6097.txt- authentication procedure when the MN attaches to the MAG. ../data/rfc/rfc6097.txt- ../data/rfc/rfc6097.txt- o LMA Fully Qualified Domain Name (FQDN) is retrieved from the AAA ../data/rfc/rfc6097.txt- infrastructure during the network access authentication, followed ../data/rfc/rfc6097.txt- by a Domain Name System (DNS) lookup. -- ../data/rfc/rfc1649.txt- ../data/rfc/rfc1649.txt- The RELAY-MTA and Domain documents are coordinated by the group ../data/rfc/rfc1649.txt- specified in the Community document. The procedures for document ../data/rfc/rfc1649.txt- information gathering and distribution, are for further study. ../data/rfc/rfc1649.txt- ../data/rfc/rfc1649.txt:3.5. Minimum Statistics/Accounting ../data/rfc/rfc1649.txt- ../data/rfc/rfc1649.txt- The following are not required for all MTAs. The information is ../data/rfc/rfc1649.txt- provided as guidelines for MTA managers. This is helpful for ../data/rfc/rfc1649.txt- observing service use and evaluating service performance. ../data/rfc/rfc1649.txt- -- ../data/rfc/rfc7424.txt-4.3.4. Inline Data Path Measurement ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- Implementations may perform recognition of large flows by performing ../data/rfc/rfc7424.txt- measurements on traffic in the data path of a router. Such an ../data/rfc/rfc7424.txt- approach would be expected to operate at the interface speed on every ../data/rfc/rfc7424.txt: interface, accounting for all packets processed by the data path of ../data/rfc/rfc7424.txt- the router. An example of such an approach is described in IPFIX ../data/rfc/rfc7424.txt- [RFC5470]. ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- Using inline data path measurement, a faster and more accurate ../data/rfc/rfc7424.txt- indication of large flows mapped to each of the component links in a -- ../data/rfc/rfc7424.txt- Curtis, R., and S. Banerjee, "DevoFlow: Cost-Effective ../data/rfc/rfc7424.txt- Flow Management for High Performance Enterprise ../data/rfc/rfc7424.txt- Networks", Proceedings of the ACM SIGCOMM, 2010. ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- [FLOW-ACC] Zseby, T., Hirsch, T., and B. Claise, "Packet Sampling ../data/rfc/rfc7424.txt: for Flow Accounting: Challenges and Limitations", ../data/rfc/rfc7424.txt- Proceedings of the 9th international Passive and Active ../data/rfc/rfc7424.txt- Measurement Conference, 2008. ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- [ITCOM] Jo, J., Kim, Y., Chao, H., and F. Merat, "Internet ../data/rfc/rfc7424.txt- traffic load balancing using dynamic hashing with flow ../data/rfc/rfc7424.txt- volume", SPIE ITCOM, 2002. ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- [NDTM] Estan, C. and G. Varghese, "New Directions in Traffic ../data/rfc/rfc7424.txt: Measurement and Accounting", Proceedings of ACM SIGCOMM, ../data/rfc/rfc7424.txt- August 2002. ../data/rfc/rfc7424.txt- ../data/rfc/rfc7424.txt- [NVGRE] Garg, P. and Y. Wang, "NVGRE: Network Virtualization ../data/rfc/rfc7424.txt- using Generic Routing Encapsulation", Work in Progress, ../data/rfc/rfc7424.txt- draft-sridharan-virtualization-nvgre-07, November 2014. -- ../data/rfc/rfc4682.txt- (decoded) back to analog output by a compatible CODEC at the ../data/rfc/rfc4682.txt- receiving end. ../data/rfc/rfc4682.txt- ../data/rfc/rfc4682.txt- Operations Systems Support ../data/rfc/rfc4682.txt- An Operations Systems Support system (OSS) is a system of back office ../data/rfc/rfc4682.txt: software components used for fault, configuration, accounting, ../data/rfc/rfc4682.txt- performance, and security management working in interaction with each ../data/rfc/rfc4682.txt- other and providing the operations support in deployed PacketCable ../data/rfc/rfc4682.txt- systems. ../data/rfc/rfc4682.txt- ../data/rfc/rfc4682.txt- Key Distribution Center -- ../data/rfc/rfc6697.txt- ../data/rfc/rfc6697.txt- o where the peer's home EAP server also performs re-authentication; ../data/rfc/rfc6697.txt- and ../data/rfc/rfc6697.txt- ../data/rfc/rfc6697.txt- o where a local re-authentication server exists but is co-located ../data/rfc/rfc6697.txt: with an Authentication, Authorization, and Accounting (AAA) proxy ../data/rfc/rfc6697.txt- within the domain. ../data/rfc/rfc6697.txt- ../data/rfc/rfc6697.txt- Other work provides further pieces of the solution or insight into ../data/rfc/rfc6697.txt- the problem. For the purpose of this memo, Hoeper, et al. [RFC5749] ../data/rfc/rfc6697.txt- provide an abstract mechanism for distribution of keying material -- ../data/rfc/rfc6697.txt- moves from one authenticator to another, the peer may be ../data/rfc/rfc6697.txt- authenticated by the different authenticator during a period of time, ../data/rfc/rfc6697.txt- and the authenticator to which the peer is currently attached needs ../data/rfc/rfc6697.txt- to create a new AAA user session; however, the AAA server should not ../data/rfc/rfc6697.txt- view these handoffs as different sessions. Otherwise, this may ../data/rfc/rfc6697.txt: affect user experience and also cause accounting or logging issues. ../data/rfc/rfc6697.txt- For example, session ID creation, in most cases, is done by each ../data/rfc/rfc6697.txt- authenticator to which the peer attaches. In this sense, the new ../data/rfc/rfc6697.txt- authenticator acting as AAA client needs to create a new AAA user ../data/rfc/rfc6697.txt- session from scratch, which forces its corresponding AAA server to ../data/rfc/rfc6697.txt- terminate the existing user session with the previous authenticator -- ../data/rfc/rfc1356.txt- Use of the single network layer protocol circuits described in ../data/rfc/rfc1356.txt- section 3.2 is more efficient in terms of bandwidth if only a ../data/rfc/rfc1356.txt- limited number of protocols are supported by a system. It also ../data/rfc/rfc1356.txt- allows each system to determine exactly which protocols are ../data/rfc/rfc1356.txt- supported by its communicating partner. Other advantages include ../data/rfc/rfc1356.txt: being able to use X.25 accounting to detail each protocol and ../data/rfc/rfc1356.txt- different quality of service or flow control windows for different ../data/rfc/rfc1356.txt- protocols. ../data/rfc/rfc1356.txt- ../data/rfc/rfc1356.txt- The Null encapsulation, for multiplexing, is useful when a system, ../data/rfc/rfc1356.txt- for any reason (such as implementation restrictions or network cost -- ../data/rfc/rfc4923.txt- elastic application has no such boundary. Another way to look at the ../data/rfc/rfc4923.txt- difference is that real-time applications have an irreducible lower ../data/rfc/rfc4923.txt- bound on their bandwidth requirements. For example, the typical ../data/rfc/rfc4923.txt- G.711 payload is delivered in 160-byte samples (plus 40 bytes of IP/ ../data/rfc/rfc4923.txt- UDP/RTP headers) at 20 millisecond intervals. This will yield 80 ../data/rfc/rfc4923.txt: kbps of bandwidth, without silence suppression, and not accounting ../data/rfc/rfc4923.txt- for the layer 2 overhead. To operate in real-time, a G.711 codec ../data/rfc/rfc4923.txt- requires the network over which its data will be delivered to support ../data/rfc/rfc4923.txt- communications at 80 kbps at the IP layer with roughly constant end- ../data/rfc/rfc4923.txt- to-end delay and nominal or no loss. If this is not possible (if ../data/rfc/rfc4923.txt- there is significant loss or wide variations in delay), voice quality -- ../data/rfc/rfc5846.txt- with the Global (G) bit set and the Revocation Trigger field set to ../data/rfc/rfc5846.txt- "Per-Peer Policy" impacts all mobility sessions that are registered ../data/rfc/rfc5846.txt- with the mobile access gateway and its local mobility anchor peer, ../data/rfc/rfc5846.txt- the local mobility anchor MUST be locally configurable to authorize ../data/rfc/rfc5846.txt- such specific functionality. Additional mechanisms, such as a policy ../data/rfc/rfc5846.txt: store or Authentication, Authorization, and Accounting (AAA) may be ../data/rfc/rfc5846.txt- employed, but these are outside the scope of this specification. ../data/rfc/rfc5846.txt- ../data/rfc/rfc5846.txt-14. Acknowledgements ../data/rfc/rfc5846.txt- ../data/rfc/rfc5846.txt- The authors would like to thank Ryuji Wakikawa, Bruno Mongazon- -- ../data/rfc/rfc2607.txt- The Network Access Server (NAS) is the device that clients contact ../data/rfc/rfc2607.txt- in order to get access to the network. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- RADIUS server ../data/rfc/rfc2607.txt- This is a server which provides for authentication/authorization ../data/rfc/rfc2607.txt: via the protocol described in [3], and for accounting as described ../data/rfc/rfc2607.txt- in [4]. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- -- ../data/rfc/rfc2607.txt-RFC 2607 Proxy Chaining and Policy in Roaming June 1999 ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- RADIUS proxy ../data/rfc/rfc2607.txt- In order to provide for the routing of RADIUS authentication and ../data/rfc/rfc2607.txt: accounting requests, a RADIUS proxy can be employed. To the NAS, ../data/rfc/rfc2607.txt- the RADIUS proxy appears to act as a RADIUS server, and to the ../data/rfc/rfc2607.txt- RADIUS server, the proxy appears to act as a RADIUS client. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Network Access Identifier ../data/rfc/rfc2607.txt- In order to provide for the routing of RADIUS authentication and ../data/rfc/rfc2607.txt: accounting requests, the userID field used in PPP (known as the ../data/rfc/rfc2607.txt- Network Access Identifier or NAI) and in the subsequent RADIUS ../data/rfc/rfc2607.txt: authentication and accounting requests, can contain structure. ../data/rfc/rfc2607.txt- This structure provides a means by which the RADIUS proxy will ../data/rfc/rfc2607.txt- locate the RADIUS server that is to receive the request. The NAI ../data/rfc/rfc2607.txt- is defined in [6]. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Roaming relationships -- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-4. Introduction ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Today, as described in [1], proxy chaining is widely deployed for the ../data/rfc/rfc2607.txt- purposes of providing roaming services. In such systems, ../data/rfc/rfc2607.txt: authentication/authorization and accounting packets are routed ../data/rfc/rfc2607.txt- between a NAS device and a home server through a series of proxies. ../data/rfc/rfc2607.txt- Consultation of the home server is required for password-based ../data/rfc/rfc2607.txt- authentication, since the home server maintains the password database ../data/rfc/rfc2607.txt- and thus it is necessary for the NAS to communicate with the home ../data/rfc/rfc2607.txt- authentication server in order to verify the user's identity. -- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Scalability improvement ../data/rfc/rfc2607.txt- Authentication forwarding ../data/rfc/rfc2607.txt- Capabilities adjustment ../data/rfc/rfc2607.txt- Policy implementation ../data/rfc/rfc2607.txt: Accounting reliability improvement ../data/rfc/rfc2607.txt- Atomic operation ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Scalability improvement ../data/rfc/rfc2607.txt- In large scale roaming systems, it is necessary to provide for ../data/rfc/rfc2607.txt- scalable management of keys used for integrity protection and -- ../data/rfc/rfc2607.txt- one for each partner pair. However, were the partners to ../data/rfc/rfc2607.txt- route authentication requests through a central proxy, only ../data/rfc/rfc2607.txt- 100 shared secrets would be needed, one for each partner. The ../data/rfc/rfc2607.txt- reduction in the number of partner pairs also brings with it ../data/rfc/rfc2607.txt- other benefits, such as a reduction in the number of bilateral ../data/rfc/rfc2607.txt: agreements and accounting and auditing overhead. Thus, ../data/rfc/rfc2607.txt- hierarchical routing might be desirable even if an ../data/rfc/rfc2607.txt- authentiation protocol supporting automated key exchange were ../data/rfc/rfc2607.txt- available. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Capabilities adjustment -- ../data/rfc/rfc2607.txt- probably not be necessary. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Authentication forwarding ../data/rfc/rfc2607.txt- Since roaming associations frequently implement hierarchical ../data/rfc/rfc2607.txt- forwarding in order to improve scalability, in order for a NAS ../data/rfc/rfc2607.txt: and home server to communicate, authentication and accounting ../data/rfc/rfc2607.txt- packets are forwarded by one or more proxies. The path ../data/rfc/rfc2607.txt- travelled by these packets, known as the roaming relationship ../data/rfc/rfc2607.txt- path, is determined from the Network Access Identifier (NAI), ../data/rfc/rfc2607.txt- described in [6]. Since most NAS devices do not implement ../data/rfc/rfc2607.txt- forwarding logic, a proxy is needed to enable forwarding of ../data/rfc/rfc2607.txt: authentication and accounting packets. For reasons that are ../data/rfc/rfc2607.txt- described in the security section, in proxy systems it is ../data/rfc/rfc2607.txt: desirable for accounting and authentication packets to follow ../data/rfc/rfc2607.txt- the same path. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Note: The way a proxy learns the mapping between NAI and the ../data/rfc/rfc2607.txt- home server is beyond the scope of this document. This ../data/rfc/rfc2607.txt- mapping can be accomplished by static configuration in the -- ../data/rfc/rfc2607.txt-RFC 2607 Proxy Chaining and Policy in Roaming June 1999 ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- operates as a "man in the middle." ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: Accounting reliability improvement ../data/rfc/rfc2607.txt- In roaming systems based on proxy chaining, it is necessary ../data/rfc/rfc2607.txt: for accounting information to be forwarded between the NAS and ../data/rfc/rfc2607.txt- the home server. Thus roaming is inherently an interdomain ../data/rfc/rfc2607.txt- application. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: This represents a problem since the RADIUS accounting ../data/rfc/rfc2607.txt- protocol, described in [4] is not designed for use on an ../data/rfc/rfc2607.txt: Internet scale. Given that in roaming accounting packets ../data/rfc/rfc2607.txt- travel between administrative domains, packets will often pass ../data/rfc/rfc2607.txt- through network access points (NAPs) where packet loss may be ../data/rfc/rfc2607.txt- substantial. This can result in unacceptable rates of ../data/rfc/rfc2607.txt: accounting data loss. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- For example, in a proxy chaining system involving four ../data/rfc/rfc2607.txt- systems, a one percent failure rate on each hop can result in ../data/rfc/rfc2607.txt: loss of 3.9 percent of all accounting transactions. Placement ../data/rfc/rfc2607.txt: of an accounting proxy near the NAS may improve reliability by ../data/rfc/rfc2607.txt: enabling enabling persistent storage of accounting records and ../data/rfc/rfc2607.txt- long duration retry. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Atomic operation ../data/rfc/rfc2607.txt- In order to ensure consistency among all parties required to ../data/rfc/rfc2607.txt: process accounting data, it can be desirable to assure that ../data/rfc/rfc2607.txt: transmission of accounting data is handled as an atomic ../data/rfc/rfc2607.txt- operation. This implies that all parties on the roaming ../data/rfc/rfc2607.txt- relationship path will receive and acknowledge the receipt of ../data/rfc/rfc2607.txt: the accounting data for the operation to complete. Proxies can ../data/rfc/rfc2607.txt: be used to ensure atomic delivery of accounting data by ../data/rfc/rfc2607.txt: arranging for delivery of the accounting data in a serial ../data/rfc/rfc2607.txt- fashion, as discussed in section 5.2. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-5. Proxy chaining ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- An example of a proxy chaining system is shown below. -- ../data/rfc/rfc2607.txt-RFC 2607 Proxy Chaining and Policy in Roaming June 1999 ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- matches the reply with the request it sent earlier and forwards a ../data/rfc/rfc2607.txt- reply to the NAS. This model applies to all requests, including ../data/rfc/rfc2607.txt: Access Requests and Accounting Requests. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Except for the two cases described below, a proxy server such as ../data/rfc/rfc2607.txt- Proxy2 in the diagram above SHOULD NOT send a Reply packet to Proxy1 ../data/rfc/rfc2607.txt- without first having received a Reply packet initiated by the Home ../data/rfc/rfc2607.txt- Server. The two exceptions are when the proxy is enforcing policy as ../data/rfc/rfc2607.txt- described in section 5.1 and when the proxy is acting as an ../data/rfc/rfc2607.txt: accounting store (as in store and forward), as described in section ../data/rfc/rfc2607.txt- 5.2. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- The RADIUS protocol described in [3] does not provide for end-to-end ../data/rfc/rfc2607.txt- security services, including integrity or replay protection, ../data/rfc/rfc2607.txt- authentication or confidentiality. As noted in the security -- ../data/rfc/rfc2607.txt- <--------- <--------- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- A proxy MAY also decide to Reject a Request that has been accepted by ../data/rfc/rfc2607.txt- the home server. This could be based on the set of attributes ../data/rfc/rfc2607.txt- returned by the home server. In this case the Proxy SHOULD send an ../data/rfc/rfc2607.txt: Access-Reject to the NAS and an Accounting-Request with Acct-Status- ../data/rfc/rfc2607.txt- Type=Proxy-Stop (6) to the home server. This lets the home server ../data/rfc/rfc2607.txt- know that the session it approved has been denied downstream by the ../data/rfc/rfc2607.txt- proxy. However, a proxy MUST NOT send an Access-Accept after ../data/rfc/rfc2607.txt- receiving an Access-Reject from a proxy or from the home server. ../data/rfc/rfc2607.txt- -- ../data/rfc/rfc2607.txt- (Access-Reject) (Access-Accept) (Access-Accept) Server ../data/rfc/rfc2607.txt- <--------- <--------- <--------- ../data/rfc/rfc2607.txt- (AcctPxStop) (AcctPxStop) ../data/rfc/rfc2607.txt- ----------> ----------> ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt:5.2. Accounting behavior ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- As described above, a proxy MUST NOT reply directly with an Access- ../data/rfc/rfc2607.txt- Accept, and MUST NOT reply with an Access-Accept when it has received ../data/rfc/rfc2607.txt- an Access-Reject from another proxy or Home Server. As a result, in ../data/rfc/rfc2607.txt: all cases where an accounting record is to be generated (accepted ../data/rfc/rfc2607.txt- sessions), no direct replies have occurred, and the Access-Request ../data/rfc/rfc2607.txt- and Access-Accept have passed through the same set of systems. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: In order to allow proxies to match incoming Accounting-Requests with ../data/rfc/rfc2607.txt- previously handled Access-Requests and Access-Accepts, a proxy SHOULD ../data/rfc/rfc2607.txt: route the Accounting-Request along the same realm path travelled in ../data/rfc/rfc2607.txt- authentication/authorization. Note that this does not imply that ../data/rfc/rfc2607.txt: accounting packets will necessarily travel the identical path, ../data/rfc/rfc2607.txt- machine by machine, as did authentication/authorization packets. ../data/rfc/rfc2607.txt- This is because it is conceivable that a proxy may have gone down, ../data/rfc/rfc2607.txt: and as a result the Accounting-request may need to be forwarded to an ../data/rfc/rfc2607.txt- alternate server. It is also conceivable that ../data/rfc/rfc2607.txt: authentication/authorization and accounting may be handled by ../data/rfc/rfc2607.txt- different servers within a realm. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: The Class attribute can be used to match Accounting Requests with ../data/rfc/rfc2607.txt- prior Access Requests. It can also be used to match session log ../data/rfc/rfc2607.txt- records between the home Server, proxies, and NAS. This matching can ../data/rfc/rfc2607.txt- be accomplished either in real-time (in the case that authentication ../data/rfc/rfc2607.txt: and accounting packets follow the same path, machine by machine), or ../data/rfc/rfc2607.txt- after the fact. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Home servers SHOULD insert a unique session identifier in the Class ../data/rfc/rfc2607.txt- attribute in an Access-Accept and Access-Challenge. Proxies and ../data/rfc/rfc2607.txt- NASes MUST forward the unmodified Class attribute. The NAS MUST ../data/rfc/rfc2607.txt- include the Class attribute in subsequent requests, in particular for ../data/rfc/rfc2607.txt: Accounting-Requests. The sequence of events is shown below: ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- -- ../data/rfc/rfc2607.txt- --------> --------> ---------> ../data/rfc/rfc2607.txt- NAS Proxy1 Proxy2 Home (add class) ../data/rfc/rfc2607.txt- <-class-- <-class- <-class-- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: Accounting ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: (Accounting-req) (Accounting-req) (Accounting-req) ../data/rfc/rfc2607.txt- w/class w/class w/class ../data/rfc/rfc2607.txt- NAS ----------> Proxy1 ----------> Proxy2 ----------> Home ../data/rfc/rfc2607.txt: (Accounting-reply) (Accounting-reply)(Accounting-reply) Server ../data/rfc/rfc2607.txt- <--------- <--------- <--------- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: Since there is no need to implement policy in accounting, a proxy ../data/rfc/rfc2607.txt: MUST forward all Accounting Requests to the next server on the path. ../data/rfc/rfc2607.txt: The proxy MUST guarantee that the Accounting Request is received by ../data/rfc/rfc2607.txt- the End Server and all intermediate servers. The proxy may do this ../data/rfc/rfc2607.txt: either by: 1) forwarding the Accounting Request and not sending a ../data/rfc/rfc2607.txt- Reply until it receives the matching Reply from the upstream server, ../data/rfc/rfc2607.txt- or 2) acting as a store point which takes responsibility for ../data/rfc/rfc2607.txt: reforwarding the Accounting Request until it receives a Reply. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Note that when the proxy does not send a reply until it receives a ../data/rfc/rfc2607.txt: matching reply, this ensures that Accounting Start and Stop messages ../data/rfc/rfc2607.txt- are received and can be logged by all servers along the roaming ../data/rfc/rfc2607.txt- relationship path. If one of the servers is not available, then the ../data/rfc/rfc2607.txt: operation will fail. As a result the entire accounting transaction ../data/rfc/rfc2607.txt- will either succeed or fail as a unit, and thus can be said to be ../data/rfc/rfc2607.txt- atomic. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Where store and forward is implemented, it is possible that one or ../data/rfc/rfc2607.txt- more servers along the roaming relationship path will not receive the ../data/rfc/rfc2607.txt: accounting data while others will. The accounting operation will not ../data/rfc/rfc2607.txt- succeed or fail as a unit, and is therefore not atomic. As a result, ../data/rfc/rfc2607.txt- it may not be possible for the roaming partners to reconcile their ../data/rfc/rfc2607.txt- audit logs, opening new opportunities for fraud. Where store and ../data/rfc/rfc2607.txt: forward is implemented, forwarding of Accounting Requests SHOULD be ../data/rfc/rfc2607.txt- done as they are received so the downstream servers will receive them ../data/rfc/rfc2607.txt- in a timely way. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Note that there are cases where a proxy will need to forward an ../data/rfc/rfc2607.txt: Accounting packet to more than one system. For example, in order to ../data/rfc/rfc2607.txt: allow for proper accounting in the case of a NAS that is shutting ../data/rfc/rfc2607.txt: down, the proxy can send an Accounting-Request with Acct-Status- ../data/rfc/rfc2607.txt: Type=Accounting-Off (8) to all realms that it forwards to. In turn, ../data/rfc/rfc2607.txt- these proxies will also flood the packet to their connected realms. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-Aboba & Vollbrecht Informational [Page 8] -- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- [3] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote ../data/rfc/rfc2607.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, April ../data/rfc/rfc2607.txt- 1997. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: [4] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement ../data/rfc/rfc2607.txt- Levels", BCP 14, RFC 2119, March 1997. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- [6] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC -- ../data/rfc/rfc2607.txt- security threats, including: ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Message editing ../data/rfc/rfc2607.txt- Attribute editing ../data/rfc/rfc2607.txt- Theft of passwords ../data/rfc/rfc2607.txt: Theft and modification of accounting data ../data/rfc/rfc2607.txt- Replay attacks ../data/rfc/rfc2607.txt- Connection hijacking ../data/rfc/rfc2607.txt: Fraudulent accounting ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-7.1. Message editing ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Through the use of shared secrets it is possible for proxies ../data/rfc/rfc2607.txt- operating in different domains to establish a trust relationship. -- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- For example, an Access-Accept could be substituted for an Access- ../data/rfc/rfc2607.txt- Reject, and without end-to-end integrity protection, there is no way ../data/rfc/rfc2607.txt- for the NAS to detect this. On the home server, this will result in ../data/rfc/rfc2607.txt: an accounting log entry for a session that was not authorized. ../data/rfc/rfc2607.txt: However, if the proxy does not forward accounting packets or session ../data/rfc/rfc2607.txt- records to the home server, then the home server will not be able to ../data/rfc/rfc2607.txt- detect the discrepancy until a bill is received and audited. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Note that a proxy can also send an Access-Reject to the NAS after ../data/rfc/rfc2607.txt- receiving an Access-Accept from the home server. This will result in ../data/rfc/rfc2607.txt: an authentication log entry without a corresponding accounting log ../data/rfc/rfc2607.txt: entry. Without the proxy sending an Accounting-Request with Acct- ../data/rfc/rfc2607.txt- Status-Type=Proxy-Stop (6) to the home server, then there will be no ../data/rfc/rfc2607.txt- way for the home server to determine whether the discrepancy is due ../data/rfc/rfc2607.txt: to policy implementation or loss of accounting packets. Thus the use ../data/rfc/rfc2607.txt- of Acct-Status-Type=Proxy-Stop can be of value in debugging roaming ../data/rfc/rfc2607.txt- systems. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- It should be noted that even if end-to-end security were to be ../data/rfc/rfc2607.txt- available, a number of sticky questions would remain. While the end- -- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- provided to the client. The mismatch between requested and received ../data/rfc/rfc2607.txt- services may only be detectable after the fact by comparing the ../data/rfc/rfc2607.txt- Access-Accept attributes against the attributes included in the ../data/rfc/rfc2607.txt: Accounting-Request. However, without end-to-end security services, it ../data/rfc/rfc2607.txt- is possible for a rogue proxy to cover its tracks. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Due to the complexity of proxy configuration, such attacks need not ../data/rfc/rfc2607.txt- involve malice, but can occur due to mis-configuration or ../data/rfc/rfc2607.txt- implementation deficiencies. Today several proxy implementations -- ../data/rfc/rfc2607.txt- confidentiality. As a result, where clients authenticate using PAP, ../data/rfc/rfc2607.txt- each proxy along the path between the local NAS and the home server ../data/rfc/rfc2607.txt- will have access to the cleartext password. In many circumstances, ../data/rfc/rfc2607.txt- this represents an unacceptable security risk. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt:7.4. Theft and modification of accounting data ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: Typically in roaming systems, accounting packets are provided to all ../data/rfc/rfc2607.txt- the participants along the roaming relationship path, in order to ../data/rfc/rfc2607.txt- allow them to audit subsequent invoices. RADIUS as described in [3] ../data/rfc/rfc2607.txt- does not provide for end-to-end security services, including ../data/rfc/rfc2607.txt- integrity protection or confidentiality. Without end-to-end integrity ../data/rfc/rfc2607.txt: protection, it is possible for proxies to modify accounting packets ../data/rfc/rfc2607.txt: or session records. Without end-to-end confidentiality, accounting ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-Aboba & Vollbrecht Informational [Page 11] ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-RFC 2607 Proxy Chaining and Policy in Roaming June 1999 ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- data will be accessible to proxies. However, if the objective is ../data/rfc/rfc2607.txt: merely to prevent snooping of accounting data on the wire, then IPSEC ../data/rfc/rfc2607.txt- ESP can be used. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-7.5. Replay attacks ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- In this attack, a man in the middle or rogue proxy collects CHAP- ../data/rfc/rfc2607.txt- Challenge and CHAP-Response attributes, and later replays them. If ../data/rfc/rfc2607.txt- this attack is performed in collaboration with an unscrupulous ISP, ../data/rfc/rfc2607.txt: it can be used to subsequently submit fraudulent accounting records ../data/rfc/rfc2607.txt- for payment. The system performing the replay need not necessarily ../data/rfc/rfc2607.txt- be the one that initially captured the CHAP Challenge/Response pair. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- While RADIUS as described in [3] is vulnerable to replay attacks, ../data/rfc/rfc2607.txt- without roaming the threat is restricted to proxies operating in the -- ../data/rfc/rfc2607.txt- In this form of attack, the attacker attempts to inject packets into ../data/rfc/rfc2607.txt- the conversation between the NAS and the home server. RADIUS as ../data/rfc/rfc2607.txt- described in [3] is vulnerable to such attacks since only Access- ../data/rfc/rfc2607.txt- Reply and Access-Challenge packets are authenticated. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt:7.7. Fraudulent accounting ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: In this form of attack, a local proxy transmits fraudulent accounting ../data/rfc/rfc2607.txt- packets or session records in an effort to collect fees to which they ../data/rfc/rfc2607.txt- are not entitled. This includes submission of packets or session ../data/rfc/rfc2607.txt- records for non-existent sessions. Since in RADIUS as described in ../data/rfc/rfc2607.txt- [3], there is no end-to-end security, a rogue proxy may insert or ../data/rfc/rfc2607.txt- edit packets without fear of detection. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: In order to detect submissions of accounting packets or session ../data/rfc/rfc2607.txt: records for non-existent sessions, parties receiving accounting ../data/rfc/rfc2607.txt- packets or session records would be prudent to reconcile them with ../data/rfc/rfc2607.txt- the authentication logs. Such reconciliation is only typically ../data/rfc/rfc2607.txt- possible when the party acts as an authentication proxy for all ../data/rfc/rfc2607.txt: sessions for which an accounting record will subsequently be ../data/rfc/rfc2607.txt- submitted. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- In order to make reconciliation easier, home servers involved in ../data/rfc/rfc2607.txt- roaming include a Class attribute in the Access-Accept. The Class ../data/rfc/rfc2607.txt- attribute uniquely identifies a session, so as to allow an ../data/rfc/rfc2607.txt- authentication log entry to be matched with a corresponding ../data/rfc/rfc2607.txt: accounting packet or session record. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-Aboba & Vollbrecht Informational [Page 12] ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-RFC 2607 Proxy Chaining and Policy in Roaming June 1999 ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt: If reconciliation is put in place and all accounting log entries ../data/rfc/rfc2607.txt- without a corresponding authentication are rejected, then the ../data/rfc/rfc2607.txt- attacker will need to have obtained a valid user password prior to ../data/rfc/rfc2607.txt: submitting accounting packets or session records on non-existent ../data/rfc/rfc2607.txt- sessions. While use of end-to-end security can defeat unauthorized ../data/rfc/rfc2607.txt: injection or editing of accounting or authentication packets by ../data/rfc/rfc2607.txt- intermediate proxies, other attacks remain feasible. For example, ../data/rfc/rfc2607.txt- unless replay protection is put in place, it is still feasible for an ../data/rfc/rfc2607.txt: intermediate proxy to resubmit authentication or accounting packets ../data/rfc/rfc2607.txt- or session records. In addition, end-to-end security does not provide ../data/rfc/rfc2607.txt- protection against attacks by the local proxy, since this is ../data/rfc/rfc2607.txt- typically where end-to-end security will be initiated. To detect such ../data/rfc/rfc2607.txt- attacks, other measures need to be put in place, such as systems for ../data/rfc/rfc2607.txt- detecting unusual activity of ISP or user accounts, or for ../data/rfc/rfc2607.txt- determining whether a user or ISP account is within their credit ../data/rfc/rfc2607.txt- limit. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Note that implementation of the store and forward approach to proxy ../data/rfc/rfc2607.txt: accounting makes it possible for some systems in the roaming ../data/rfc/rfc2607.txt: relationship path to receive accounting records that other systems do ../data/rfc/rfc2607.txt- not get. This can result in audit discrepancies. About the best that ../data/rfc/rfc2607.txt: is achievable in such cases is to verify that the accounting data is ../data/rfc/rfc2607.txt- missing by checking against the authentication logs. ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt-8. Acknowledgments ../data/rfc/rfc2607.txt- ../data/rfc/rfc2607.txt- Thanks to Pat Calhoun of Sun Microsystems, Mark Beadles of -- ../data/rfc/rfc4784.txt- The Verizon Wireless Dynamic Mobile IP Key Update procedure is a ../data/rfc/rfc4784.txt- mechanism for distributing and updating Mobile IP (MIP) cryptographic ../data/rfc/rfc4784.txt- keys in cdma2000(R) networks (including High Rate Packet Data, which ../data/rfc/rfc4784.txt- is often referred to as 1xEV-DO). The Dynamic Mobile IP Key Update ../data/rfc/rfc4784.txt- (DMU) procedure occurs between the MIP Mobile Node (MN) and RADIUS ../data/rfc/rfc4784.txt: Authentication, Authorization and Accounting (AAA) Server via a ../data/rfc/rfc4784.txt- cdma2000(R) Packet Data Serving Node (PDSN) that is acting as a ../data/rfc/rfc4784.txt- Mobile IP Foreign Agent (FA). ../data/rfc/rfc4784.txt- ../data/rfc/rfc4784.txt- cdma2000(R) is a registered trademark of the Telecommunications ../data/rfc/rfc4784.txt- Industry Association (TIA). -- ../data/rfc/rfc4784.txt- mechanism for distributing and updating Mobile IP (MIP) cryptographic ../data/rfc/rfc4784.txt- keys in cdma2000(R) 1xRTT (1X) [2] and High Rate Packet Data (HRPD) / ../data/rfc/rfc4784.txt- 1xEV-DO networks [3]. The Dynamic Mobile IP Key Update (DMU) ../data/rfc/rfc4784.txt- procedure occurs between the Mobile IP Mobile Node (MN) and the home ../data/rfc/rfc4784.txt- RADIUS [4] (or Diameter [5]) Authentication, Authorization and ../data/rfc/rfc4784.txt: Accounting (AAA) Server via a cdma2000(R) Packet Data Serving Node ../data/rfc/rfc4784.txt- (PDSN) that is acting as a Mobile IP Foreign Agent (FA). (In this ../data/rfc/rfc4784.txt- document, we use the acronym AAAH to indicate the home AAA server as ../data/rfc/rfc4784.txt- opposed to an AAA server that may be located in a visited system.) ../data/rfc/rfc4784.txt- This procedure is intended to support wireless systems conforming to ../data/rfc/rfc4784.txt- Telecommunications Industry Association (TIA) TR-45 Standard IS-835 -- ../data/rfc/rfc3654.txt- packet processing and handling. By allowing the control and ../data/rfc/rfc3654.txt- forwarding planes to evolve independently, different types of FEs can ../data/rfc/rfc3654.txt- be developed - some general purpose and others more specialized. ../data/rfc/rfc3654.txt- Some functions that FEs could perform include layer 3 forwarding, ../data/rfc/rfc3654.txt- metering, shaping, firewall, NAT, encapsulation (e.g., tunneling), ../data/rfc/rfc3654.txt: decapsulation, encryption, accounting, etc. Nearly all combinations ../data/rfc/rfc3654.txt- of these functions may be present in practical FEs. ../data/rfc/rfc3654.txt- ../data/rfc/rfc3654.txt- Below is a diagram illustrating an example NE composed of a CE and ../data/rfc/rfc3654.txt- two FEs. Both FEs and CE require minimal configuration as part of ../data/rfc/rfc3654.txt- the pre-configuration process and this may be done by FE Manager and -- ../data/rfc/rfc3654.txt- The model MUST be capable of describing the order in which these ../data/rfc/rfc3654.txt- logical functions are applied in a FE. The ordering of logical ../data/rfc/rfc3654.txt- functions is important in many cases. For example, a NAT function ../data/rfc/rfc3654.txt- may change a packet's source or destination IP address. Any number ../data/rfc/rfc3654.txt- of other logical functions (e.g., layer 3 forwarding, ingress/egress ../data/rfc/rfc3654.txt: firewall, shaping, and accounting) may make use of the source or ../data/rfc/rfc3654.txt- destination IP address when making decisions. The CE needs to know ../data/rfc/rfc3654.txt- whether to configure these logical functions with the pre-NAT or ../data/rfc/rfc3654.txt- post-NAT IP address. Furthermore, the model MUST be capable of ../data/rfc/rfc3654.txt- expressing multiple instances of the same logical function in a FE's ../data/rfc/rfc3654.txt- processing path. Using NAT again as an example, one NAT function is -- ../data/rfc/rfc3654.txt- events as well. This Does NOT mean off-loading of any piece of code ../data/rfc/rfc3654.txt- to an FE, just that the FE Model should be able to express existing ../data/rfc/rfc3654.txt- Off-loaded functions on an FE. ../data/rfc/rfc3654.txt- ../data/rfc/rfc3654.txt- 9) IPFLOW/PSAMP Functions ../data/rfc/rfc3654.txt: Several applications such as, Usage-based Accounting, Traffic ../data/rfc/rfc3654.txt- engineering, require flow-based IP traffic measurements from Network ../data/rfc/rfc3654.txt- Elements. [IPFLOW] defines architecture for IP traffic flow ../data/rfc/rfc3654.txt- monitoring, measuring and exporting. The FE model SHOULD be able to ../data/rfc/rfc3654.txt: express metering functions and flow accounting needed for exporting ../data/rfc/rfc3654.txt- IP traffic flow information. Similarly to support measurement-based ../data/rfc/rfc3654.txt- applications, [PSAMP] describes a framework to define a standard set ../data/rfc/rfc3654.txt- of capabilities for network elements to sample subsets of packets by ../data/rfc/rfc3654.txt- statistical and other methods. The FE model SHOULD be able to ../data/rfc/rfc3654.txt- express statistical packet filtering functions and packet information -- ../data/rfc/rfc8404.txt- 2.2.3. Network-Congestion Management . . . . . . . . . . . . 16 ../data/rfc/rfc8404.txt- 2.2.4. Performance-Enhancing Proxies . . . . . . . . . . . . 16 ../data/rfc/rfc8404.txt- 2.2.5. Caching and Content Replication near the Network Edge 17 ../data/rfc/rfc8404.txt- 2.2.6. Content Compression . . . . . . . . . . . . . . . . . 18 ../data/rfc/rfc8404.txt- 2.2.7. Service Function Chaining . . . . . . . . . . . . . . 18 ../data/rfc/rfc8404.txt: 2.3. Content Filtering, Network Access, and Accounting . . . . 19 ../data/rfc/rfc8404.txt- 2.3.1. Content Filtering . . . . . . . . . . . . . . . . . . 19 ../data/rfc/rfc8404.txt- 2.3.2. Network Access and Data Usage . . . . . . . . . . . . 20 ../data/rfc/rfc8404.txt- 2.3.3. Application Layer Gateways (ALGs) . . . . . . . . . . 21 ../data/rfc/rfc8404.txt- 2.3.4. HTTP Header Insertion . . . . . . . . . . . . . . . . 22 ../data/rfc/rfc8404.txt- 3. Encryption in Hosting and Application SP Environments . . . . 23 -- ../data/rfc/rfc8404.txt- In the SFC case, the layer below a network service header can be ../data/rfc/rfc8404.txt- protected with session encryption. A goal is protecting end-user ../data/rfc/rfc8404.txt- data, while retaining the intended functions of RFC 7665 [RFC7665] at ../data/rfc/rfc8404.txt- the same time. ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt:2.3. Content Filtering, Network Access, and Accounting ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt- Mobile networks and many ISPs operate under the regulations of their ../data/rfc/rfc8404.txt- licensing government authority. These regulations include Lawful ../data/rfc/rfc8404.txt- Intercept, adherence to Codes of Practice on content filtering, and ../data/rfc/rfc8404.txt- application of court order filters. Such regulations assume network ../data/rfc/rfc8404.txt: access to provide content filtering and accounting, as discussed ../data/rfc/rfc8404.txt- below. As previously stated, the intent of this document is to ../data/rfc/rfc8404.txt- document existing practices; the development of IETF protocols ../data/rfc/rfc8404.txt- follows the guiding principles of [RFC1984] and [RFC2804] and ../data/rfc/rfc8404.txt- explicitly does not support tools and methods that could be used for ../data/rfc/rfc8404.txt- wiretapping and censorship. -- ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt- However, there are cases (beyond parental control) when a network ../data/rfc/rfc8404.txt- service provider currently redirects customer requests for content ../data/rfc/rfc8404.txt- (affecting content accessibility): ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt: 1. The network service provider is performing the accounting and ../data/rfc/rfc8404.txt- billing for the content provider, and the customer has not (yet) ../data/rfc/rfc8404.txt- purchased the requested content. ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt- 2. Further content may not be allowed as the customer has reached ../data/rfc/rfc8404.txt- their usage limit and needs to purchase additional data service, -- ../data/rfc/rfc8404.txt-3.1.1. Monitoring Customer Access ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt- Hosted applications that allow some level of customer-management ../data/rfc/rfc8404.txt- access may also require monitoring by the hosting service provider. ../data/rfc/rfc8404.txt- Monitoring could include access-control restrictions such as ../data/rfc/rfc8404.txt: authentication, authorization, and accounting for filtering and ../data/rfc/rfc8404.txt- firewall rules to ensure they are continuously met. Customer access ../data/rfc/rfc8404.txt- may occur on multiple levels, including user-level and administrative ../data/rfc/rfc8404.txt- access. The hosting service provider may need to monitor access ../data/rfc/rfc8404.txt- through either session monitoring or log evaluation to ensure ../data/rfc/rfc8404.txt- security SLAs for access management are met. The use of session -- ../data/rfc/rfc8404.txt- Information Export (IPFIX), a flow-based protocol used to export ../data/rfc/rfc8404.txt- information about network flows. ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt-6.1. IP Flow Information Export ../data/rfc/rfc8404.txt- ../data/rfc/rfc8404.txt: Many of the accounting, monitoring, and measurement tasks described ../data/rfc/rfc8404.txt- in this document, especially in Sections 2.3.2, 3.1.1, 4.1.3, 4.2, ../data/rfc/rfc8404.txt- and 5.2, use the IPFIX protocol [RFC7011] for export and storage of ../data/rfc/rfc8404.txt- the monitored information. IPFIX evolved from the widely deployed ../data/rfc/rfc8404.txt- NetFlow protocol [RFC3954], which exports information about flows ../data/rfc/rfc8404.txt- identified by 5-tuple. While NetFlow was largely concerned with ../data/rfc/rfc8404.txt: exporting per-flow byte and packet counts for accounting purposes, ../data/rfc/rfc8404.txt- IPFIX's extensible Information Model [RFC7012] provides a variety of ../data/rfc/rfc8404.txt- Information Elements (IEs) [IPFIX-IANA] for representing information ../data/rfc/rfc8404.txt- above and below the traditional network-layer flow information. ../data/rfc/rfc8404.txt- Enterprise-specific IEs allow exporter vendors to define their own ../data/rfc/rfc8404.txt- non-standard IEs as well, and many of these are driven by header and -- ../data/rfc/rfc8582.txt- ../data/rfc/rfc8582.txt- ../data/rfc/rfc8582.txt-9. IANA Considerations ../data/rfc/rfc8582.txt- ../data/rfc/rfc8582.txt- IANA has registered the following values in the "Authentication, ../data/rfc/rfc8582.txt: Authorization, and Accounting (AAA) Parameters" registry: ../data/rfc/rfc8582.txt- ../data/rfc/rfc8582.txt- One new AVP code is defined in Section 7.2.1. ../data/rfc/rfc8582.txt- ../data/rfc/rfc8582.txt- One new OC-Feature-Vector AVP value is defined in Section 7.1.1. ../data/rfc/rfc8582.txt- -- ../data/rfc/rfc2165.txt- ../data/rfc/rfc2165.txt- DA Advertisement Replies may arrive from different sources, similar ../data/rfc/rfc2165.txt- in form to: ../data/rfc/rfc2165.txt- ../data/rfc/rfc2165.txt- URL returned: service:directory-agent://slp-resolver.catch22.com ../data/rfc/rfc2165.txt: Scope returned: ACCOUNTING ../data/rfc/rfc2165.txt- ../data/rfc/rfc2165.txt- URL returned: service:directory-agent://204.182.15.66 Scope ../data/rfc/rfc2165.txt- returned: JANITORIAL SERVICES ../data/rfc/rfc2165.txt- ../data/rfc/rfc2165.txt- The DA Advertisement format is defined in Section 14. -- ../data/rfc/rfc5591.txt- following constraints: ../data/rfc/rfc5591.txt- ../data/rfc/rfc5591.txt- 1. In times of network stress, the security protocol and its ../data/rfc/rfc5591.txt- underlying security mechanisms SHOULD NOT depend solely upon the ../data/rfc/rfc5591.txt- ready availability of other network services (e.g., Network Time ../data/rfc/rfc5591.txt: Protocol (NTP) or Authentication, Authorization, and Accounting ../data/rfc/rfc5591.txt- (AAA) protocols). ../data/rfc/rfc5591.txt- ../data/rfc/rfc5591.txt- 2. When the network is not under stress, the Security Model and its ../data/rfc/rfc5591.txt- underlying security mechanisms MAY depend upon the ready ../data/rfc/rfc5591.txt- availability of other network services. -- ../data/rfc/rfc7174.txt- ../data/rfc/rfc7174.txt- - Fault Management ../data/rfc/rfc7174.txt- ../data/rfc/rfc7174.txt- - Configuration Management ../data/rfc/rfc7174.txt- ../data/rfc/rfc7174.txt: - Accounting Management ../data/rfc/rfc7174.txt- ../data/rfc/rfc7174.txt- - Performance Management ../data/rfc/rfc7174.txt- ../data/rfc/rfc7174.txt- - Security Management ../data/rfc/rfc7174.txt- -- ../data/rfc/rfc6392.txt- replication. CDNs offer fast and reliable applications and services ../data/rfc/rfc6392.txt- by distributing content to cache or edge servers located close to ../data/rfc/rfc6392.txt- users. See [14] for an additional taxonomy and survey. ../data/rfc/rfc6392.txt- ../data/rfc/rfc6392.txt- A CDN has some combination of content delivery, request routing, ../data/rfc/rfc6392.txt: distribution, and accounting infrastructures. The content-delivery ../data/rfc/rfc6392.txt- infrastructure consists of a set of edge servers (also called ../data/rfc/rfc6392.txt- surrogates) that deliver copies of content to end users. The ../data/rfc/rfc6392.txt- request-routing infrastructure is responsible for directing client ../data/rfc/rfc6392.txt- requests to appropriate edge servers. It also interacts with the ../data/rfc/rfc6392.txt- distribution infrastructure to keep an up-to-date view of the content ../data/rfc/rfc6392.txt- stored in the CDN caches. The distribution infrastructure moves ../data/rfc/rfc6392.txt- content from the origin server to the CDN edge servers and ensures ../data/rfc/rfc6392.txt: consistency of content in the caches. The accounting infrastructure ../data/rfc/rfc6392.txt- maintains logs of client accesses and records the usage of the CDN ../data/rfc/rfc6392.txt- servers. This information is used for traffic reporting and usage- ../data/rfc/rfc6392.txt- based billing. ../data/rfc/rfc6392.txt- ../data/rfc/rfc6392.txt- In practice, a CDN typically hosts static content including images, -- ../data/rfc/rfc6150.txt- of MS-CHAP are also supported by RADIUS [RFC2548] and the ../data/rfc/rfc6150.txt- Extensible Authentication Protocol (EAP) [RFC5281]. In 2007, ../data/rfc/rfc6150.txt- [RFC4962] listed MS-CHAP v1 and v2 as flawed and recommended ../data/rfc/rfc6150.txt- against their use; these incidents were presented as a strong ../data/rfc/rfc6150.txt- indication for the necessity of built-in crypto-algorithm ../data/rfc/rfc6150.txt: agility in Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6150.txt- protocols. ../data/rfc/rfc6150.txt- ../data/rfc/rfc6150.txt- ../data/rfc/rfc6150.txt- ../data/rfc/rfc6150.txt- -- ../data/rfc/rfc6150.txt- [RFC4757] Jaganathan, K., Zhu, L., and J. Brezak, "The RC4-HMAC ../data/rfc/rfc6150.txt- Kerberos Encryption Types Used by Microsoft Windows", RFC ../data/rfc/rfc6150.txt- 4757, December 2006. ../data/rfc/rfc6150.txt- ../data/rfc/rfc6150.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6150.txt: Authorization, and Accounting (AAA) Key Management", BCP ../data/rfc/rfc6150.txt- 132, RFC 4962, July 2007. ../data/rfc/rfc6150.txt- ../data/rfc/rfc6150.txt- [RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced ../data/rfc/rfc6150.txt- Electronic Signatures (CAdES)", RFC 5126, March 2008. ../data/rfc/rfc6150.txt- -- ../data/rfc/rfc1374.txt- kilobytes of user data consists of "n" full bursts and one short ../data/rfc/rfc1374.txt- burst equal in length to the number of bytes in the HIPPI, LLC, IP ../data/rfc/rfc1374.txt- and TCP headers. "Hold Time" is the minimum connection duration ../data/rfc/rfc1374.txt- needed to send the packets. "Burst Rate" is the effective transfer ../data/rfc/rfc1374.txt- rate for the duration of the connection, not counting connection ../data/rfc/rfc1374.txt: switching time. Throughput rates are in megabytes/second, accounting ../data/rfc/rfc1374.txt- for connection switching times of 10, 30, 60, 90, 120 and 150 ../data/rfc/rfc1374.txt- microseconds. These calculations ignore any limit on the rate at ../data/rfc/rfc1374.txt- ../data/rfc/rfc1374.txt- ../data/rfc/rfc1374.txt- -- ../data/rfc/rfc5706.txt- 3.3.2. Fault Determination ................................19 ../data/rfc/rfc5706.txt- 3.3.3. Root Cause Analysis ................................20 ../data/rfc/rfc5706.txt- 3.3.4. Fault Isolation ....................................20 ../data/rfc/rfc5706.txt- 3.4. Configuration Management ..................................20 ../data/rfc/rfc5706.txt- 3.4.1. Verifying Correct Operation ........................22 ../data/rfc/rfc5706.txt: 3.5. Accounting Management .....................................22 ../data/rfc/rfc5706.txt- 3.6. Performance Management ....................................22 ../data/rfc/rfc5706.txt- 3.6.1. Monitoring the Protocol ............................23 ../data/rfc/rfc5706.txt- 3.6.2. Monitoring the Device ..............................24 ../data/rfc/rfc5706.txt- 3.6.3. Monitoring the Network .............................24 ../data/rfc/rfc5706.txt- 3.6.4. Monitoring the Service .............................25 -- ../data/rfc/rfc5706.txt- and ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- o NETCONF Configuration Protocol [RFC4741] ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- o the IP Flow Information Export (IPFIX) Protocol [RFC5101]) for ../data/rfc/rfc5706.txt: usage accounting ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- o the syslog protocol [RFC5424] for logging ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- Interoperability needs to be considered on the syntactic level and ../data/rfc/rfc5706.txt- the semantic level. While it can be irritating and time-consuming, -- ../data/rfc/rfc5706.txt- functioning of the protocol, and whether that is verified by testing ../data/rfc/rfc5706.txt- the service function and/or by testing the forwarding function of ../data/rfc/rfc5706.txt- each network element. This may be achieved through status and ../data/rfc/rfc5706.txt- statistical information gathered from devices. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt:3.5. Accounting Management ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- A protocol designer should consider whether it would be appropriate ../data/rfc/rfc5706.txt- to collect usage information related to this protocol and, if so, ../data/rfc/rfc5706.txt- what usage information would be appropriate to collect. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt: "Introduction to Accounting Management" [RFC2975] discusses a number ../data/rfc/rfc5706.txt- of factors relevant to monitoring usage of protocols for purposes of ../data/rfc/rfc5706.txt- capacity and trend analysis, cost allocation, auditing, and billing. ../data/rfc/rfc5706.txt- The document also discusses how some existing protocols can be used ../data/rfc/rfc5706.txt- for these purposes. These factors should be considered when ../data/rfc/rfc5706.txt- designing a protocol whose usage might need to be monitored or when ../data/rfc/rfc5706.txt: recommending a protocol to do usage accounting. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt-3.6. Performance Management ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- From a manageability point of view, it is important to determine how ../data/rfc/rfc5706.txt- well a network deploying the protocol or technology defined in the -- ../data/rfc/rfc5706.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc5706.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc5706.txt- RFC 2865, June 2000. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc5706.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt-Harrington Informational [Page 29] -- ../data/rfc/rfc5706.txt- protocols in the network? Will it impact performance (e.g., ../data/rfc/rfc5706.txt- jitter) of certain types of applications running in the same ../data/rfc/rfc5706.txt- network? ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- * Does the new protocol need supporting services (e.g., DNS or ../data/rfc/rfc5706.txt: Authentication, Authorization, and Accounting - AAA) added to ../data/rfc/rfc5706.txt- an existing network? ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- 6. Have suggestions for verifying correct operation been discussed? ../data/rfc/rfc5706.txt- See Section 2.6. ../data/rfc/rfc5706.txt- -- ../data/rfc/rfc5706.txt-Harrington Informational [Page 34] ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt-RFC 5706 Ops and Mgmt Guidelines November 2009 ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt: 5. Is accounting management discussed? See Section 3.5. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- 6. Is performance management discussed? See Section 3.6. ../data/rfc/rfc5706.txt- ../data/rfc/rfc5706.txt- * Does the protocol have an impact on network traffic and ../data/rfc/rfc5706.txt- network devices? Can performance be measured? -- ../data/rfc/rfc164.txt- o Are looking for an NCP implementer. ../data/rfc/rfc164.txt- ../data/rfc/rfc164.txt- o Will use other services; laser store and UCSB. ../data/rfc/rfc164.txt- ../data/rfc/rfc164.txt- o Their general research includes an interest in Network ../data/rfc/rfc164.txt: accounting and management. ../data/rfc/rfc164.txt- ../data/rfc/rfc164.txt- o Will go onto Net as soon as possible to ILLINOIS. ../data/rfc/rfc164.txt- ../data/rfc/rfc164.txt- o Will go on via TIP if it can support two nodes. ../data/rfc/rfc164.txt- -- ../data/rfc/rfc164.txt- sufficient to have only one connection with each site. ../data/rfc/rfc164.txt- ../data/rfc/rfc164.txt- On software development, the NCP progress has been extremely poor and ../data/rfc/rfc164.txt- slow. The second iteration should have been defined by now from ../data/rfc/rfc164.txt- experiences with the first. Towards the end of the year a new ../data/rfc/rfc164.txt: protocol should be defined to last for a couple of years. Accounting ../data/rfc/rfc164.txt- and billing protocol should also be defined. The NCP protocol is ../data/rfc/rfc164.txt- getting to be a critical problem -- everyone should be complete and ../data/rfc/rfc164.txt- consistent with the current protocol by July 1. Without it, there ../data/rfc/rfc164.txt- will be serious problems of bringing new people onto the Net. For ../data/rfc/rfc164.txt- example, the I4 and the laser store will be on the Net by March or -- ../data/rfc/rfc4672.txt- Authorization extensions on the network access server (NAS) devices ../data/rfc/rfc4672.txt- to handle the Disconnect and Change-of-Authorization (CoA) messages, ../data/rfc/rfc4672.txt- as described in [RFC3576]. As a result, the effective management of ../data/rfc/rfc4672.txt- RADIUS Dynamic Authorization entities is of considerable importance. ../data/rfc/rfc4672.txt- This RADIUS Dynamic Authorization Client MIB complements the managed ../data/rfc/rfc4672.txt: objects used for managing RADIUS authentication and accounting ../data/rfc/rfc4672.txt- servers, as described in [RFC4669] and [RFC4671], respectively. ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt-1.1. Requirements Notation ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc4672.txt- Standard Management Framework", RFC 3410, December 2002. ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt- [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", ../data/rfc/rfc4672.txt- RFC 4669, August 2006. ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC ../data/rfc/rfc4672.txt- 4671, August 2006. ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt- ../data/rfc/rfc4672.txt-De Cnodder, et al. Informational [Page 21] -- ../data/rfc/rfc4080.txt- In some cases, it is desired to be able to initiate and/or terminate ../data/rfc/rfc4080.txt- NSIS signaling not from the end host that sends/receives the data ../data/rfc/rfc4080.txt- flow, but from some other entities in the network that can be called ../data/rfc/rfc4080.txt- signaling proxies. There could be various reasons for this: ../data/rfc/rfc4080.txt- signaling on behalf of the end hosts that are not NSIS-aware, ../data/rfc/rfc4080.txt: consolidation of the customer accounting (authentication, ../data/rfc/rfc4080.txt- authorization) in respect to consumed application and transport ../data/rfc/rfc4080.txt- resources, security considerations, limitation of the physical ../data/rfc/rfc4080.txt- connection between host and network, and so on. This configuration ../data/rfc/rfc4080.txt- can be considered a kind of "proxy on the data path"; see Figure 2. ../data/rfc/rfc4080.txt- -- ../data/rfc/rfc4080.txt- deployment comes from a restriction of the number of impacted nodes ../data/rfc/rfc4080.txt- in case of deployment and/or upgrade of an NSLP. Path-decoupled ../data/rfc/rfc4080.txt- signaling would allow, for instance, deploying a solution without ../data/rfc/rfc4080.txt- upgrading any of the routers in the data plane. Additional ../data/rfc/rfc4080.txt- functionality that can be supported includes the use of off-path ../data/rfc/rfc4080.txt: proxies to support authorization or accounting architectures. ../data/rfc/rfc4080.txt- ../data/rfc/rfc4080.txt- There are potentially significant differences in the way that the two ../data/rfc/rfc4080.txt- signaling paradigms should be analyzed. Using a single centralized ../data/rfc/rfc4080.txt- off-path NE may increase the requirements in terms of message ../data/rfc/rfc4080.txt- handling; on the other hand, path-decoupled signaling is equally -- ../data/rfc/rfc4080.txt- When state has been installed along the new path, the existing state ../data/rfc/rfc4080.txt- on the old path needs to be removed. With the soft-state principle, ../data/rfc/rfc4080.txt- this will happen automatically because of the lack of refresh ../data/rfc/rfc4080.txt- messages. Depending on the refresh timer, however, it may be ../data/rfc/rfc4080.txt- required to tear down this state much faster (e.g., because it is ../data/rfc/rfc4080.txt: tied to an accounting record). In that case, the teardown message ../data/rfc/rfc4080.txt- needs to be able to distinguish between the new path and the old ../data/rfc/rfc4080.txt- path. ../data/rfc/rfc4080.txt- ../data/rfc/rfc4080.txt- In some environments, it is desirable to provide connectivity and ../data/rfc/rfc4080.txt- per-flow or per-class state management with high-availability -- ../data/rfc/rfc4080.txt- ../data/rfc/rfc4080.txt- [11] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on ../data/rfc/rfc4080.txt- Security Considerations", BCP 72, RFC 3552, July 2003. ../data/rfc/rfc4080.txt- ../data/rfc/rfc4080.txt- [12] Tschofenig, H., "NSIS Authentication, Authorization and ../data/rfc/rfc4080.txt: Accounting Issues", Work in Progress, March 2003. ../data/rfc/rfc4080.txt- ../data/rfc/rfc4080.txt- [13] Berger, L., Gan, D., Swallow, G., Pan, P., Tommasi, F., and S. ../data/rfc/rfc4080.txt- Molendini, "RSVP Refresh Overhead Reduction Extensions", ../data/rfc/rfc4080.txt- RFC 2961, April 2001. ../data/rfc/rfc4080.txt- -- ../data/rfc/rfc8011.txt- the Client software automatically supplies the Document name on ../data/rfc/rfc8011.txt- behalf of the End User by using a file name or an ../data/rfc/rfc8011.txt- application-generated name. If this attribute is supplied, its ../data/rfc/rfc8011.txt- value can be used in a manner defined by each implementation. ../data/rfc/rfc8011.txt- Examples include the following: printed along with the Job (Job ../data/rfc/rfc8011.txt: start sheet, page adornments, etc.), used by accounting or ../data/rfc/rfc8011.txt- resource-tracking management tools, or even stored along with ../data/rfc/rfc8011.txt- the Document as a Document-level attribute. ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- "compression" (type2 keyword): ../data/rfc/rfc8011.txt- -- ../data/rfc/rfc8011.txt- operation has been performed, a Printer MUST return no Jobs in ../data/rfc/rfc8011.txt- subsequent Get-Job-Attributes and Get-Jobs responses (until new Jobs ../data/rfc/rfc8011.txt- are submitted). ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- Note: This operation SHOULD NOT be supported in new implementations, ../data/rfc/rfc8011.txt: since it destroys Printer accounting information. ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- Whether the Purge-Jobs (and Get-Jobs) operation affects Jobs that ../data/rfc/rfc8011.txt- were submitted to the device from sources other than the IPP Printer ../data/rfc/rfc8011.txt- in the same way that the Purge-Jobs operation affects Jobs that were ../data/rfc/rfc8011.txt- submitted to the IPP Printer using IPP depends on implementation, -- ../data/rfc/rfc8011.txt- This DEPRECATED operation allows a Client to restart a Job that is ../data/rfc/rfc8011.txt- retained in the queue after processing has completed (see ../data/rfc/rfc8011.txt- Section 5.3.7.2). ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- Note: This operation SHOULD NOT be supported in new implementations, ../data/rfc/rfc8011.txt: since it destroys Printer accounting information. The Resubmit-Job ../data/rfc/rfc8011.txt- operation [PWG5100.11] is the safe replacement for this operation and ../data/rfc/rfc8011.txt- makes a copy of the Job, assigns a new "job-uri" and "job-id" to the ../data/rfc/rfc8011.txt- copy, and resets the Job progress attributes in the new copy only. ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- The Restart-Job operation moves the Job to the 'pending' or -- ../data/rfc/rfc8011.txt- o Obsoleted all attributes and values defined in RFC 3381, as they ../data/rfc/rfc8011.txt- do not interact well with the "finishings" attribute and have ../data/rfc/rfc8011.txt- never been widely implemented. ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- o Deprecated the Purge-Jobs and Restart-Job operations, which ../data/rfc/rfc8011.txt: destroy accounting information. ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt- ../data/rfc/rfc8011.txt-Sweet & McDonald Standards Track [Page 187] ../data/rfc/rfc8011.txt- -- ../data/rfc/rfc7337.txt-13.2. Informative References ../data/rfc/rfc7337.txt- ../data/rfc/rfc7337.txt- [AAA-REQS] ../data/rfc/rfc7337.txt- Gilletti, D., Nair, R., Scharber, J., and J. Guha, ../data/rfc/rfc7337.txt- "Content Internetworking (CDI) Authentication, ../data/rfc/rfc7337.txt: Authorization, and Accounting Requirements", Work in ../data/rfc/rfc7337.txt- Progress, June 2001. ../data/rfc/rfc7337.txt- ../data/rfc/rfc7337.txt- [ATIS-0800042] ../data/rfc/rfc7337.txt- ATIS, "ATIS IPTV Content on Demand Service", ATIS-0800042 ../data/rfc/rfc7337.txt- v002, September 2011, <https://www.atis.org/docstore/ -- ../data/rfc/rfc8415.txt- The information contained in the data area of this option is ../data/rfc/rfc8415.txt- contained in one or more opaque fields that represent the user class ../data/rfc/rfc8415.txt- or classes of which the client is a member. A server selects ../data/rfc/rfc8415.txt- configuration information for the client based on the classes ../data/rfc/rfc8415.txt- identified in this option. For example, the User Class option can be ../data/rfc/rfc8415.txt: used to configure all clients of people in the accounting department ../data/rfc/rfc8415.txt- with a different printer than clients of people in the marketing ../data/rfc/rfc8415.txt- department. The user class information carried in this option MUST ../data/rfc/rfc8415.txt- be configurable on the client. ../data/rfc/rfc8415.txt- ../data/rfc/rfc8415.txt- The data area of the User Class option MUST contain one or more -- ../data/rfc/rfc454.txt- normally be the first command transmitted by the user after the ../data/rfc/rfc454.txt- TELNET connections are made (some servers may require this). ../data/rfc/rfc454.txt- Additional identification information in the form of a password ../data/rfc/rfc454.txt- and/or an account command may also be required by some servers. ../data/rfc/rfc454.txt- Servers may allow a new USER command to be entered at any point in ../data/rfc/rfc454.txt: order to change the accounting information. All parameters are ../data/rfc/rfc454.txt- unchanged and any file transfer in progress is completed under the ../data/rfc/rfc454.txt- old account. ../data/rfc/rfc454.txt- ../data/rfc/rfc454.txt- Password (PASS) - The argument field is an ASCII string identify- ../data/rfc/rfc454.txt- ing the user's password. This command must be immediatly preceded -- ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- [RFC6677] defines EAP channel bindings to solve the "lying NAS" and ../data/rfc/rfc7170.txt- the "lying provider" problems, using a process in which the EAP peer ../data/rfc/rfc7170.txt- gives information about the characteristics of the service provided ../data/rfc/rfc7170.txt- by the authenticator to the Authentication, Authorization, and ../data/rfc/rfc7170.txt: Accounting (AAA) server protected within the EAP method. This allows ../data/rfc/rfc7170.txt- the server to verify the authenticator is providing information to ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- -- ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- [RFC4945] Korver, B., "The Internet IP Security PKI Profile of IKEv1 ../data/rfc/rfc7170.txt- /ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc7170.txt: Authorization, and Accounting (AAA) Key Management", BCP ../data/rfc/rfc7170.txt- 132, RFC 4962, July 2007. ../data/rfc/rfc7170.txt- ../data/rfc/rfc7170.txt- [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible ../data/rfc/rfc7170.txt- Authentication Protocol (EAP) Key Management Framework", ../data/rfc/rfc7170.txt- RFC 5247, August 2008. -- ../data/rfc/rfc8241.txt- the I2RS architecture [RFC7921]. ../data/rfc/rfc8241.txt- ../data/rfc/rfc8241.txt- I2RS reuses the secure transport protocols (TLS, SSH, DTLS) that ../data/rfc/rfc8241.txt- support encryption, message integrity, peer authentication, and key ../data/rfc/rfc8241.txt- distribution protocols. Optionally, implementers may utilize ../data/rfc/rfc8241.txt: Authentication, Authorization, and Accounting (AAA) protocols (Radius ../data/rfc/rfc8241.txt- over TLS or Diameter over TLS) to securely distribute identity ../data/rfc/rfc8241.txt- information. ../data/rfc/rfc8241.txt- ../data/rfc/rfc8241.txt- Section 2 highlights some of the terminology and concepts that the ../data/rfc/rfc8241.txt- reader is required to be familiar with. -- ../data/rfc/rfc8313.txt- 4.3.2. Inter-domain Authentication Guidelines .............28 ../data/rfc/rfc8313.txt- 4.3.3. Log-Management Guidelines ..........................28 ../data/rfc/rfc8313.txt- 4.4. Operations - Service Performance and Monitoring ../data/rfc/rfc8313.txt- Guidelines ................................................30 ../data/rfc/rfc8313.txt- 4.5. Client Reliability Models / Service Assurance Guidelines ..32 ../data/rfc/rfc8313.txt: 4.6. Application Accounting Guidelines .........................32 ../data/rfc/rfc8313.txt- 5. Troubleshooting and Diagnostics ................................32 ../data/rfc/rfc8313.txt- 6. Security Considerations ........................................33 ../data/rfc/rfc8313.txt- 6.1. DoS Attacks (against State and Bandwidth) .................33 ../data/rfc/rfc8313.txt- 6.2. Content Security ..........................................35 ../data/rfc/rfc8313.txt- 6.3. Peering Encryption ........................................37 -- ../data/rfc/rfc8313.txt-4.3.3. Log-Management Guidelines ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt- Successful delivery (in terms of user experience) of applications or ../data/rfc/rfc8313.txt- content via multicast between pairs of interconnecting ADs can be ../data/rfc/rfc8313.txt- improved through the ability to exchange appropriate logs for various ../data/rfc/rfc8313.txt: workflows -- troubleshooting, accounting and billing, optimization of ../data/rfc/rfc8313.txt- traffic and content transmission, optimization of content and ../data/rfc/rfc8313.txt- application development, and so on. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt- Specifically, AD-1 take over primary responsibility for customer ../data/rfc/rfc8313.txt- experience on behalf of the content source, with support from AD-2 as -- ../data/rfc/rfc8313.txt- multicast application source providers. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt- Network reliability can also be enhanced by the two ADs if they ../data/rfc/rfc8313.txt- provision alternate delivery mechanisms via unicast means. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt:4.6. Application Accounting Guidelines ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt: Application-level accounting needs to be handled differently in the ../data/rfc/rfc8313.txt- application than in IP unicast, because the source side does not ../data/rfc/rfc8313.txt- directly deliver packets to individual receivers. Instead, this ../data/rfc/rfc8313.txt- needs to be signaled back by the receiver to the source. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt- For network transport diagnostics, AD-1 and AD-2 should have ../data/rfc/rfc8313.txt: mechanisms in place to ensure proper accounting for the volume of ../data/rfc/rfc8313.txt- bytes delivered through the peering point and, separately, the number ../data/rfc/rfc8313.txt- of bytes delivered to EUs. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt-5. Troubleshooting and Diagnostics ../data/rfc/rfc8313.txt- -- ../data/rfc/rfc8313.txt- information, as it provides operational insight into the originating ../data/rfc/rfc8313.txt- AD but also contains sensitive user data. ../data/rfc/rfc8313.txt- ../data/rfc/rfc8313.txt- Sensitive user data exported from AD-2 to AD-1 as part of logs could ../data/rfc/rfc8313.txt- be as much as the equivalent of 5-tuple unicast traffic flow ../data/rfc/rfc8313.txt: accounting (but not more, e.g., no application-level information). ../data/rfc/rfc8313.txt- As mentioned in Section 7, in unicast, AD-1 could capture these ../data/rfc/rfc8313.txt- traffic statistics itself because this is all about traffic flows ../data/rfc/rfc8313.txt- (originated by AD-1) to EU receivers in AD-2, and operationally ../data/rfc/rfc8313.txt- passing it from AD-2 to AD-1 may be necessary when IP multicast is ../data/rfc/rfc8313.txt- used because of the replication taking place in AD-2. -- ../data/rfc/rfc8170.txt- other entities also transition. Unfortunately, in such cases, ../data/rfc/rfc8170.txt- the natural incentive is often to delay transitioning. ../data/rfc/rfc8170.txt- ../data/rfc/rfc8170.txt- 3. Total Cost: It is important to consider costs that go beyond the ../data/rfc/rfc8170.txt- core hardware and software, such as operational tools and ../data/rfc/rfc8170.txt: processes, personnel training, business model (accounting/ ../data/rfc/rfc8170.txt- billing) dependencies, and legal (regulation, patents, etc.) ../data/rfc/rfc8170.txt- costs. ../data/rfc/rfc8170.txt- ../data/rfc/rfc8170.txt- 4. Extensibility: Design for extensibility [RFC6709] so that things ../data/rfc/rfc8170.txt- can be fixed up later. -- ../data/rfc/rfc8170.txt- A transition plan should explain the incentives to each involved ../data/rfc/rfc8170.txt- entity to support the transition. Note here that many entities other ../data/rfc/rfc8170.txt- than the endpoint applications and their users may be affected, and ../data/rfc/rfc8170.txt- the barriers to transition may be non-technical as well as technical. ../data/rfc/rfc8170.txt- When considering these incentives, also consider network operations ../data/rfc/rfc8170.txt: tools, practices and processes, personnel training, accounting and ../data/rfc/rfc8170.txt- billing dependencies, and legal and regulatory incentives. ../data/rfc/rfc8170.txt- ../data/rfc/rfc8170.txt- If there is opposition to a particular new protocol (e.g., from ../data/rfc/rfc8170.txt- another standards organization, or a government, or some other ../data/rfc/rfc8170.txt- affected entity), various non-technical issues arise that should be -- ../data/rfc/rfc1340.txt- 64-149 Unassigned [JBP] ../data/rfc/rfc1340.txt- 150 Xerox NS IDP [133,XEROX] ../data/rfc/rfc1340.txt- 151 Unassigned [JBP] ../data/rfc/rfc1340.txt- 152 PARC Universal Protocol [8,XEROX] ../data/rfc/rfc1340.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc1340.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc1340.txt- 155 Internet Protocol [regular] [105,JBP] ../data/rfc/rfc1340.txt- 156-158 Internet Protocol [experimental] [105,JBP] ../data/rfc/rfc1340.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc1340.txt- 160 Blacker Local Network Protocol [DM28] ../data/rfc/rfc1340.txt- 161-194 Unassigned [JBP] -- ../data/rfc/rfc5290.txt- www.isoc.org/orgs/ac/cms/uploads/docs/2020_vision.pdf". ../data/rfc/rfc5290.txt- ../data/rfc/rfc5290.txt- [J88] V. Jacobson, Congestion Avoidance and Control, SIGCOMM '88, ../data/rfc/rfc5290.txt- August 1988. ../data/rfc/rfc5290.txt- ../data/rfc/rfc5290.txt: [K96] F. Kelly, Charging and Accounting for Bursty Connections, ../data/rfc/rfc5290.txt- In L. W. McKnight and J. P. Bailey, editors, Internet ../data/rfc/rfc5290.txt- Economics. MIT Press, 1997. ../data/rfc/rfc5290.txt- ../data/rfc/rfc5290.txt- [K97] F. Kelly, Charging and Rate Control for Elastic Traffic, ../data/rfc/rfc5290.txt- European Transactions on Telecommunications, 8:33--37, -- ../data/rfc/rfc3611.txt- instead. In addition, if it were found useful, they could be used ../data/rfc/rfc3611.txt- for applications limited to two participants. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- One use to which the packet-by-packet reports are not immediately ../data/rfc/rfc3611.txt- suited is for data packet acknowledgments as part of a packet ../data/rfc/rfc3611.txt: retransmission mechanism. The reason is that the packet accounting ../data/rfc/rfc3611.txt- technique suggested for these blocks differs from the packet ../data/rfc/rfc3611.txt: accounting normally employed by RTP. In order to favor measurement ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt-Friedman, et al. Standards Track [Page 5] ../data/rfc/rfc3611.txt- -- ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- applications, an effort is made to interpret as little as possible at ../data/rfc/rfc3611.txt- the data receiver, and leave the interpretation as much as possible ../data/rfc/rfc3611.txt- to participants that receive the report blocks. Thus, for example, a ../data/rfc/rfc3611.txt- packet with an anomalous SSRC ID or an anomalous sequence number ../data/rfc/rfc3611.txt: might be excluded by normal RTP accounting, but would be reported ../data/rfc/rfc3611.txt- upon for network monitoring purposes. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- The Statistics Summary Report Block (Section 4.6) has also been ../data/rfc/rfc3611.txt- defined with network monitoring in mind. This block type can be used ../data/rfc/rfc3611.txt- equally well for reporting on unicast and multicast packet reception. -- ../data/rfc/rfc3611.txt-Friedman, et al. Standards Track [Page 9] ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt-RFC 3611 RTCP XR November 2003 ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt: accounting for Loss RLE Report Blocks will differ from the accounting ../data/rfc/rfc3611.txt- for the generation of the SR and RR packets described in the RTP ../data/rfc/rfc3611.txt: specification [9] in the following two areas: per-sender accounting ../data/rfc/rfc3611.txt: and per-packet accounting. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt: In its per-sender accounting, an RTP session participant SHOULD NOT ../data/rfc/rfc3611.txt- make the receipt of a threshold minimum number of RTP packets a ../data/rfc/rfc3611.txt- condition for reporting upon the sender of those packets. This ../data/rfc/rfc3611.txt: accounting technique differs from the technique described in Section ../data/rfc/rfc3611.txt- 6.2.1 and Appendix A.1 of the RTP specification that allows a ../data/rfc/rfc3611.txt- threshold to determine whether a sender is considered valid. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt: In its per-packet accounting, an RTP session participant SHOULD treat ../data/rfc/rfc3611.txt: all sequence numbers as valid. This accounting technique differs ../data/rfc/rfc3611.txt- from the technique described in Appendix A.1 of the RTP specification ../data/rfc/rfc3611.txt- that suggests ruling a sequence number valid or invalid on the basis ../data/rfc/rfc3611.txt- of its contiguity with the sequence numbers of previously received ../data/rfc/rfc3611.txt- packets. ../data/rfc/rfc3611.txt- -- ../data/rfc/rfc3611.txt- for example, of excluding the stray old packet from an unrelated ../data/rfc/rfc3611.txt- session from having an effect upon the calculation of the RTCP ../data/rfc/rfc3611.txt- transmission interval. The presence of stray packets might, on the ../data/rfc/rfc3611.txt- other hand, be of interest to a network monitoring application. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt: One accounting interpretation that is still necessary is for a ../data/rfc/rfc3611.txt- participant to decide whether the 16 bit sequence number has rolled ../data/rfc/rfc3611.txt- over. Under ordinary circumstances this is not a difficult task. ../data/rfc/rfc3611.txt- For example, if packet number 65,535 (the highest possible sequence ../data/rfc/rfc3611.txt- number) is followed shortly by packet number 0, it is reasonable to ../data/rfc/rfc3611.txt- assume that there has been a rollover. However, it is possible that ../data/rfc/rfc3611.txt- the packet is an earlier one (from 65,535 packets earlier). It is ../data/rfc/rfc3611.txt- also possible that the sequence numbers have rolled over multiple ../data/rfc/rfc3611.txt- times, either forward or backward. The interpretation becomes more ../data/rfc/rfc3611.txt- difficult when there are large gaps between the sequence numbers, ../data/rfc/rfc3611.txt: even accounting for rollover, and when there are long intervals ../data/rfc/rfc3611.txt- between received packets. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt: The per-packet accounting technique mandated here is for a ../data/rfc/rfc3611.txt- participant to keep track of the sequence number of the packet most ../data/rfc/rfc3611.txt- recently received from a sender. For the next packet that arrives ../data/rfc/rfc3611.txt- from that sender, the sequence number MUST be judged to fall no more ../data/rfc/rfc3611.txt- than 32,768 packets ahead or behind the most recent one, whichever ../data/rfc/rfc3611.txt- choice places it closer. In the event that both choices are equally -- ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt-A.1. Sequence Number Interpretation ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- This is the algorithm suggested by Section 4.1 for keeping track of ../data/rfc/rfc3611.txt- the sequence numbers from a given sender. It implements the ../data/rfc/rfc3611.txt: accounting practice required for the generation of Loss RLE Report ../data/rfc/rfc3611.txt- Blocks. ../data/rfc/rfc3611.txt- ../data/rfc/rfc3611.txt- This algorithm keeps track of 16 bit sequence numbers by translating ../data/rfc/rfc3611.txt- them into a 32 bit sequence number space. The first packet received ../data/rfc/rfc3611.txt- from a source is considered to have arrived roughly in the middle of -- ../data/rfc/rfc6120.txt- secure than TLS plus SASL PLAIN), e.g., because the XMPP service ../data/rfc/rfc6120.txt- depends for authentication purposes on a database or directory ../data/rfc/rfc6120.txt- that is not under the control of the XMPP administrators, such as ../data/rfc/rfc6120.txt- Pluggable Authentication Modules (PAM), an Lightweight Directory ../data/rfc/rfc6120.txt- Access Protocol (LDAP) directory [LDAP], or an Authentication, ../data/rfc/rfc6120.txt: Authorization, and Accounting (AAA) key management protocol (for ../data/rfc/rfc6120.txt- guidance, refer to [AAA]). However, offering TLS plus SASL PLAIN ../data/rfc/rfc6120.txt- even when the server supports more secure alternatives might be ../data/rfc/rfc6120.txt- appropriate if the server needs to enable interoperability with an ../data/rfc/rfc6120.txt- installed base of clients that do not yet support SCRAM or other ../data/rfc/rfc6120.txt- alternatives that are more secure than TLS plus SASL PLAIN. -- ../data/rfc/rfc6120.txt- RFC 6121, March 2011. ../data/rfc/rfc6120.txt- ../data/rfc/rfc6120.txt-16.2. Informative References ../data/rfc/rfc6120.txt- ../data/rfc/rfc6120.txt- [AAA] Housley, R. and B. Aboba, "Guidance for ../data/rfc/rfc6120.txt: Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6120.txt- Key Management", BCP 132, RFC 4962, July 2007. ../data/rfc/rfc6120.txt- ../data/rfc/rfc6120.txt- [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax ../data/rfc/rfc6120.txt- Specifications: ABNF", STD 68, RFC 5234, ../data/rfc/rfc6120.txt- January 2008. -- ../data/rfc/rfc147.txt- ../data/rfc/rfc147.txt- [Page 2] ../data/rfc/rfc147.txt- ../data/rfc/rfc147.txt-Network Socket Committee and Network Community 7 May 1971 ../data/rfc/rfc147.txt- ../data/rfc/rfc147.txt:The definition of a socket is also related to the accounting procedures ../data/rfc/rfc147.txt-followed for network usage. Network Control Programs (NCPs) should log ../data/rfc/rfc147.txt-each connection made and record the time the connection was made, the time ../data/rfc/rfc147.txt-the connection was closed, the number of messages and number of bits ../data/rfc/rfc147.txt-transmitted over the connection, the sending and receiving hosts, and the ../data/rfc/rfc147.txt-sockets at the sending host and receiving host which participated in the -- ../data/rfc/rfc147.txt-The sockets used for facilities following a common network protocol, such ../data/rfc/rfc147.txt-as the ICP, should also follow this socket definition. Thus the logger ../data/rfc/rfc147.txt-socket at the Lincoln Laboratory 360/67 would be, and is, x'0A0000 01, ', ../data/rfc/rfc147.txt-i.e. home 10, user 0, and tag 1. ../data/rfc/rfc147.txt- ../data/rfc/rfc147.txt:This procedure for defining sockets enables an accounting procedure for ../data/rfc/rfc147.txt-identifying users of network facilities and for measuring network usage. ../data/rfc/rfc147.txt- ../data/rfc/rfc147.txt- [ This RFC was put into machine readable form for entry ] ../data/rfc/rfc147.txt- [ into the online RFC archives by BBN Corp. under the ] ../data/rfc/rfc147.txt- [ direction of Alex McKenzie. 12/96 ] -- ../data/rfc/rfc8049.txt- o Ellipsis ("...") stands for contents of subtrees that are not ../data/rfc/rfc8049.txt- shown. ../data/rfc/rfc8049.txt- ../data/rfc/rfc8049.txt-2. Acronyms ../data/rfc/rfc8049.txt- ../data/rfc/rfc8049.txt: AAA: Authentication, Authorization, and Accounting. ../data/rfc/rfc8049.txt- ../data/rfc/rfc8049.txt- ACL: Access Control List. ../data/rfc/rfc8049.txt- ../data/rfc/rfc8049.txt- ADSL: Asymmetric DSL. ../data/rfc/rfc8049.txt- -- ../data/rfc/rfc2513.txt- Cisco Systems, Inc. ../data/rfc/rfc2513.txt- February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Managed Objects for Controlling the Collection ../data/rfc/rfc2513.txt: and Storage of Accounting Information for ../data/rfc/rfc2513.txt- Connection-Oriented Networks ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-Status of this Memo ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- This document specifies an Internet standards track protocol for the -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- 1 Introduction .................................................... 2 ../data/rfc/rfc2513.txt- 2 The SNMP Network Management Framework ........................... 2 ../data/rfc/rfc2513.txt- 3 Overview ........................................................ 3 ../data/rfc/rfc2513.txt- 3.1 Operational Model ............................................. 3 ../data/rfc/rfc2513.txt: 3.2 Selection of Accounting Data .................................. 5 ../data/rfc/rfc2513.txt- 3.3 Format of Collection File ..................................... 6 ../data/rfc/rfc2513.txt- 4 Definitions ..................................................... 9 ../data/rfc/rfc2513.txt- 5 Acknowledgements ................................................25 ../data/rfc/rfc2513.txt- 6 References ......................................................25 ../data/rfc/rfc2513.txt- 7 Security Considerations .........................................27 -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 1] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-1. Introduction ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc2513.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc2513.txt- In particular, it describes managed objects used for controlling the ../data/rfc/rfc2513.txt: collection and storage of accounting information for connection- ../data/rfc/rfc2513.txt: oriented networks such as ATM. The accounting data is collected into ../data/rfc/rfc2513.txt- files for later retrieval via a file transfer protocol. For ../data/rfc/rfc2513.txt- information on data which can be collected for ATM networks, see ../data/rfc/rfc2513.txt- [19]. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-2. The SNMP Network Management Framework -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 2] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- This memo specifies a MIB module that is compliant to the SMIv2. A ../data/rfc/rfc2513.txt- MIB conforming to the SMIv1 can be produced through the appropriate ../data/rfc/rfc2513.txt- translations. The resulting translated MIB must be semantically -- ../data/rfc/rfc2513.txt- semantics of the MIB. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-3. Overview ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- In some connection-oriented network environments, there is a need for ../data/rfc/rfc2513.txt: the network administrator to be able to collect accounting data on ../data/rfc/rfc2513.txt- the usage of bandwidth/resources by connections (e.g., ATM ../data/rfc/rfc2513.txt- connections) within the network. Data collection should be available ../data/rfc/rfc2513.txt- for switched virtual connections (SVCs and SVPs), and permanent ../data/rfc/rfc2513.txt- virtual connections (PVCs and PVPs), including soft-permanent virtual ../data/rfc/rfc2513.txt- connections (SPVCCs and SPVPCs). This need exists for ATM networks, ../data/rfc/rfc2513.txt- and may well exist for other connection-oriented networks, such as ../data/rfc/rfc2513.txt- Frame Relay. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt: The potential quantity of such accounting information is such that it ../data/rfc/rfc2513.txt- is not, in general, feasible to retrieve the information via SNMP. A ../data/rfc/rfc2513.txt: better method is to store the collected accounting information in a ../data/rfc/rfc2513.txt- file which can be subsequently retrieved via a file transfer ../data/rfc/rfc2513.txt- protocol. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- It is, however, appropriate to provide management control of the ../data/rfc/rfc2513.txt: selection and collection of such accounting data via SNMP. This memo ../data/rfc/rfc2513.txt- describes a MIB module which provides such control in a manner ../data/rfc/rfc2513.txt- independent of the type of network. One or more other documents ../data/rfc/rfc2513.txt: provide definitions of particular items of accounting data which can ../data/rfc/rfc2513.txt- be selected; for example, a particular set of data items which can be ../data/rfc/rfc2513.txt- collected for ATM networks is specified in [19]. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-3.1. Operational Model ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 3] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- After this operation, the data in the old file is available for ../data/rfc/rfc2513.txt- retrieval via file transfer. ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- of the file currently being collected exceeds a threshold percentage ../data/rfc/rfc2513.txt- of that maximum size, an SNMP notification (e.g., a trap) can be ../data/rfc/rfc2513.txt- optionally generated. An SNMP notification might also be generated ../data/rfc/rfc2513.txt- if the file reaches its maximum size. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt: The accounting data collected for each connection consists of a set ../data/rfc/rfc2513.txt- of objects and their values. The set of objects and their values are ../data/rfc/rfc2513.txt- collected on one or more of the following occasions: ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- (1) on the release (termination) of a connection optionally ../data/rfc/rfc2513.txt- including failed connection attempts; -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 4] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- within the required time frame. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- (2) agent automatically swaps to new file: -- ../data/rfc/rfc2513.txt- before or immediately after storing the whole of the current ../data/rfc/rfc2513.txt- connection record into the file. The former causes the file to be ../data/rfc/rfc2513.txt- just less than its maximum size, and the latter causes the file to be ../data/rfc/rfc2513.txt- just greater than its maximum size. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:3.2. Selection of Accounting Data ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt: The items of accounting data to be collected are specified as a set ../data/rfc/rfc2513.txt- of objects. Which objects are contained in such a set is selectable ../data/rfc/rfc2513.txt- by an administrator through the specification of one or more ../data/rfc/rfc2513.txt- (subtree, list) tuples, where the set of objects to be collected is ../data/rfc/rfc2513.txt- the union of the subsets specified by each tuple: ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 5] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- object in the set). ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- The number of tuples supported by a particular switch is an -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- A collection file generated by this process contains the values of ../data/rfc/rfc2513.txt- MIB objects defined using the SMIv2. The standard way to encode the ../data/rfc/rfc2513.txt- values of SNMP MIB objects in a device-independent manner is through ../data/rfc/rfc2513.txt- the use of ASN.1's Basic Encoding Rules (BER) [18]. Thus, the ../data/rfc/rfc2513.txt: standard format of an accounting file is defined here using the same ../data/rfc/rfc2513.txt- adapted subset of ASN.1 [17] as the SMIv2. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- The file consists of a set of header information followed by a ../data/rfc/rfc2513.txt- sequence of zero or more collection records. The header information ../data/rfc/rfc2513.txt- identifies (via sysName [16]) the switch which collected the data, -- ../data/rfc/rfc2513.txt- identified tuple, in the same order as the tuples are identified in ../data/rfc/rfc2513.txt- the header information. For each tuple, the sequence of values are ../data/rfc/rfc2513.txt- in ascending order of the sub-identifier which identifies them within ../data/rfc/rfc2513.txt- the subtree. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt: Formally, an accounting file is an ASN.1 value with the following ../data/rfc/rfc2513.txt- syntax: ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-File ::= ../data/rfc/rfc2513.txt- [1] ../data/rfc/rfc2513.txt- IMPLICIT SEQUENCE { -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 6] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- DateAndTime, ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- SEQUENCE OF { -- sequence of (subtree, list) tuples -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- (5) ObjectSyntax is defined by the SMIv2 [5]. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- (6) One particular category of object values deserves special ../data/rfc/rfc2513.txt- attention: an object defined to hold the checksum value of an ../data/rfc/rfc2513.txt: accounting record (e.g., atmAcctngRecordCrc16, defined in [19]). ../data/rfc/rfc2513.txt- An object in this category will generally have a SYNTAX of a ../data/rfc/rfc2513.txt- fixed-length OCTET STRING, and have its value initialized to the ../data/rfc/rfc2513.txt: string of all zeros when composing the accounting record ../data/rfc/rfc2513.txt- containing it, with the location of these zeros being saved. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 7] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Once the record is generated, the checksum is calculated over ../data/rfc/rfc2513.txt- the whole connection record (including the starting SEQUENCE OF ../data/rfc/rfc2513.txt- and the trailing end-of-contents octets, if used), and then the -- ../data/rfc/rfc2513.txt- end-of-contents 00 00 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- contains two connection records, each containing one tuple listing ../data/rfc/rfc2513.txt- two (integer) data items in a (fictitious) subtree: ../data/rfc/rfc2513.txt- 1.3.6.1.3.127.1.1. Its header indicates it's for "switch-12", with ../data/rfc/rfc2513.txt: description "Accounting", and was collected at 16:05:00 on 20 July ../data/rfc/rfc2513.txt- 1996. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- As well as the standard format defined above, the MIB allows other ../data/rfc/rfc2513.txt- enterprise-specific formats to be used. ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 8] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-4. Definitions ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:ACCOUNTING-CONTROL-MIB DEFINITIONS ::= BEGIN ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-IMPORTS ../data/rfc/rfc2513.txt- MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, ../data/rfc/rfc2513.txt- mib-2, Integer32 FROM SNMPv2-SMI ../data/rfc/rfc2513.txt- TEXTUAL-CONVENTION, RowStatus, TestAndIncr, -- ../data/rfc/rfc2513.txt- MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP ../data/rfc/rfc2513.txt- FROM SNMPv2-CONF ../data/rfc/rfc2513.txt- ifIndex FROM IF-MIB; ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:accountingControlMIB MODULE-IDENTITY ../data/rfc/rfc2513.txt- LAST-UPDATED "9809281000Z" ../data/rfc/rfc2513.txt- ORGANIZATION "IETF AToM MIB Working Group" ../data/rfc/rfc2513.txt- CONTACT-INFO "Keith McCloghrie ../data/rfc/rfc2513.txt- Cisco Systems, Inc. ../data/rfc/rfc2513.txt- 170 West Tasman Drive, ../data/rfc/rfc2513.txt- San Jose CA 95134-1706. ../data/rfc/rfc2513.txt- Phone: +1 408 526 5260 ../data/rfc/rfc2513.txt- Email: kzm@cisco.com" ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The MIB module for managing the collection and storage of ../data/rfc/rfc2513.txt: accounting information for connections in a connection- ../data/rfc/rfc2513.txt- oriented network such as ATM." ../data/rfc/rfc2513.txt- ::= { mib-2 60 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:acctngMIBObjects OBJECT IDENTIFIER ::= { accountingControlMIB 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngSelectionControl OBJECT IDENTIFIER ::= { acctngMIBObjects 1 } ../data/rfc/rfc2513.txt-acctngFileControl OBJECT IDENTIFIER ::= { acctngMIBObjects 2 } ../data/rfc/rfc2513.txt-acctngInterfaceControl OBJECT IDENTIFIER ::= { acctngMIBObjects 3 } ../data/rfc/rfc2513.txt-acctngTrapControl OBJECT IDENTIFIER ::= { acctngMIBObjects 4 } -- ../data/rfc/rfc2513.txt-DataCollectionSubtree ::= TEXTUAL-CONVENTION ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The subtree component of a (subtree, list) tuple. Such a ../data/rfc/rfc2513.txt- (subtree, list) tuple defines a set of objects and their ../data/rfc/rfc2513.txt: values to be collected as accounting data for a connection. ../data/rfc/rfc2513.txt- The subtree specifies a single OBJECT IDENTIFIER value such ../data/rfc/rfc2513.txt- that each object in the set is named by the subtree value ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 9] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- appended with a single additional sub-identifier." ../data/rfc/rfc2513.txt- SYNTAX OBJECT IDENTIFIER ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-DataCollectionList ::= TEXTUAL-CONVENTION ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The list component of a (subtree, list) tuple. Such a ../data/rfc/rfc2513.txt- (subtree, list) tuple defines a set of objects and their ../data/rfc/rfc2513.txt: values to be collected as accounting data for a connection. ../data/rfc/rfc2513.txt- The subtree specifies a single OBJECT IDENTIFIER value such ../data/rfc/rfc2513.txt- that each object in the set is named by the subtree value ../data/rfc/rfc2513.txt- appended with a single additional sub-identifier. The list ../data/rfc/rfc2513.txt- specifies a set of data items, where the presence of an item ../data/rfc/rfc2513.txt- in the list indicates that the item is (to be) present in -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-FileIndex ::= TEXTUAL-CONVENTION ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "An arbitrary integer value identifying a file into which ../data/rfc/rfc2513.txt: accounting data is being collected." ../data/rfc/rfc2513.txt- SYNTAX Integer32 (1..65535) ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:-- The Accounting Information Selection table ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 10] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngSelectionTable OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX SEQUENCE OF AcctngSelectionEntry ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "A list of accounting information selection entries. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Note that additions, modifications and deletions of entries ../data/rfc/rfc2513.txt- in this table can occur at any time, but such changes only ../data/rfc/rfc2513.txt- take effect on the next occasion when collection begins into ../data/rfc/rfc2513.txt- a new file. Thus, between modification and the next 'swap', -- ../data/rfc/rfc2513.txt- SYNTAX AcctngSelectionEntry ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "An entry identifying an (subtree, list) tuple used to ../data/rfc/rfc2513.txt: select a set of accounting information which is to be ../data/rfc/rfc2513.txt- collected." ../data/rfc/rfc2513.txt- INDEX { acctngSelectionIndex } ../data/rfc/rfc2513.txt- ::= { acctngSelectionTable 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-AcctngSelectionEntry ::= -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 11] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngSelectionSubtree OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX DataCollectionSubtree ../data/rfc/rfc2513.txt- MAX-ACCESS read-create -- ../data/rfc/rfc2513.txt-acctngSelectionFile OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX FileIndex ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "An indication of the file into which the accounting ../data/rfc/rfc2513.txt- information identified by this entry is to be stored. If ../data/rfc/rfc2513.txt- there is no conceptual row in the acctngFileTable for which ../data/rfc/rfc2513.txt- the value of acctngFileIndex has the same value as this ../data/rfc/rfc2513.txt- object, then the information selected by this entry is not ../data/rfc/rfc2513.txt- collected." -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 12] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- information selected by this entry are to be collected." ../data/rfc/rfc2513.txt- DEFVAL { { svcIncoming, svcOutgoing, ../data/rfc/rfc2513.txt- svpIncoming, svpOutgoing } } -- ../data/rfc/rfc2513.txt- 'active'. However, such changes only take effect upon the ../data/rfc/rfc2513.txt- next occasion when collection begins into a new (version of ../data/rfc/rfc2513.txt- the) file." ../data/rfc/rfc2513.txt- ::= { acctngSelectionEntry 6 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:-- The Accounting File table ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngFileTable OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX SEQUENCE OF AcctngFileEntry ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "A list of files into which accounting information is to be ../data/rfc/rfc2513.txt- stored." ../data/rfc/rfc2513.txt- ::= { acctngFileControl 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngFileEntry OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX AcctngFileEntry -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 13] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "An entry identifying a file into which accounting ../data/rfc/rfc2513.txt- information is to be collected." ../data/rfc/rfc2513.txt- INDEX { acctngFileIndex } ../data/rfc/rfc2513.txt- ::= { acctngFileTable 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-AcctngFileEntry ::= -- ../data/rfc/rfc2513.txt-acctngFileIndex OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX FileIndex ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "A unique value identifying a file into which accounting ../data/rfc/rfc2513.txt- data is to be stored. This value is required to be the ../data/rfc/rfc2513.txt- permanent 'handle' for an entry in this table for as long as ../data/rfc/rfc2513.txt- that entry exists, including across restarts and power ../data/rfc/rfc2513.txt- outages." ../data/rfc/rfc2513.txt- ::= { acctngFileEntry 1 } -- ../data/rfc/rfc2513.txt-acctngFileName OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX DisplayString (SIZE(1..32)) ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "The name of the file into which accounting data is to be ../data/rfc/rfc2513.txt- stored. If files are named using suffixes, then the name of ../data/rfc/rfc2513.txt- the current file is the concatenation of acctngFileName and ../data/rfc/rfc2513.txt- acctngFileNameSuffix. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- An agent will respond with an error (e.g., 'wrongValue') to -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 14] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- value of this object to the same value as already held by ../data/rfc/rfc2513.txt- another instance of acctngFileName. An agent will also ../data/rfc/rfc2513.txt- respond with an error (e.g., 'wrongValue') if the new value -- ../data/rfc/rfc2513.txt- SYNTAX DisplayString (SIZE(0..8)) ../data/rfc/rfc2513.txt- MAX-ACCESS read-only ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The suffix, if any, of the name of a file into which ../data/rfc/rfc2513.txt: accounting data is currently being stored. If suffixes are ../data/rfc/rfc2513.txt- not used, then the value of this object is the zero-length ../data/rfc/rfc2513.txt- string. Note that if a separator, such as a period, is used ../data/rfc/rfc2513.txt- in appending the suffix to the file name, then that ../data/rfc/rfc2513.txt- separator appears as the first character of this value." ../data/rfc/rfc2513.txt- ::= { acctngFileEntry 3 } -- ../data/rfc/rfc2513.txt-acctngFileDescription OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX DisplayString ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "The textual description of the accounting data which will ../data/rfc/rfc2513.txt- be stored (on the next occasion) when header information is ../data/rfc/rfc2513.txt- stored in the file. The value of this object may be ../data/rfc/rfc2513.txt- modified at any time." ../data/rfc/rfc2513.txt- DEFVAL { "" } ../data/rfc/rfc2513.txt- ::= { acctngFileEntry 4 } -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 15] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "A control object for the collection of accounting data. ../data/rfc/rfc2513.txt- When read the value is either 'idle' or 'cmdInProgress'. ../data/rfc/rfc2513.txt- Writing a value is only allowed when the current value is ../data/rfc/rfc2513.txt- 'idle'. When a value is successfully written, the value ../data/rfc/rfc2513.txt- changes to 'cmdInProgress' until completion of the action, ../data/rfc/rfc2513.txt- at which time the value reverts to 'idle'. Actions are -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 16] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The current size of the file into which data is currently -- ../data/rfc/rfc2513.txt-acctngFileFormat OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX INTEGER { other(1), ber(2) } ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "An indication of the format in which the accounting data is ../data/rfc/rfc2513.txt- to be stored in the file. If the value is modified, the new ../data/rfc/rfc2513.txt- value takes effect after the next 'swap' to a new file. The ../data/rfc/rfc2513.txt- value ber(2) indicates the standard format." ../data/rfc/rfc2513.txt- DEFVAL { ber } ../data/rfc/rfc2513.txt- ::= { acctngFileEntry 8 } -- ../data/rfc/rfc2513.txt-acctngFileCollectMode OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX BITS { onRelease(0), periodically(1) } ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "An indication of when accounting data is to be written into ../data/rfc/rfc2513.txt- this file. Note that in addition to the occasions indicated ../data/rfc/rfc2513.txt- by the value of this object, an agent always writes ../data/rfc/rfc2513.txt- information on appropriate connections to the file when the ../data/rfc/rfc2513.txt- corresponding instance of acctngFileCommand is set to ../data/rfc/rfc2513.txt- 'collectNow'. -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 17] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- for failed connection attempts when the value of the ../data/rfc/rfc2513.txt- corresponding instance of acctngFileCollectMode includes ../data/rfc/rfc2513.txt- 'onRelease'. The individual values have the following -- ../data/rfc/rfc2513.txt- UNITS "seconds" ../data/rfc/rfc2513.txt- MAX-ACCESS read-create ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The number of seconds between the periodic collections of ../data/rfc/rfc2513.txt: accounting data when the value of the corresponding instance ../data/rfc/rfc2513.txt- of acctngFileCollectMode includes 'periodically'. Some ../data/rfc/rfc2513.txt- agents may impose restrictions on the range of this ../data/rfc/rfc2513.txt- interval. This value may be modified at any time." ../data/rfc/rfc2513.txt- DEFVAL { 3600 } ../data/rfc/rfc2513.txt- ::= { acctngFileEntry 11 } -- ../data/rfc/rfc2513.txt- periodic intervals and/or when acctngFileCommand is set to ../data/rfc/rfc2513.txt- 'collectNow'. The age of a connection is the elapsed time ../data/rfc/rfc2513.txt- since it was last installed. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- When the periodic interval expires for a file or when ../data/rfc/rfc2513.txt: acctngFileCommand is set to 'collectNow', accounting data is ../data/rfc/rfc2513.txt- collected and stored in the file for each connection having ../data/rfc/rfc2513.txt- a type matching acctngSelectionType and whose age at that ../data/rfc/rfc2513.txt- time is greater than the value of acctngFileMinAge ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 18] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- associated with the file. This value may be modified at any ../data/rfc/rfc2513.txt- time." ../data/rfc/rfc2513.txt- DEFVAL { 3600 } -- ../data/rfc/rfc2513.txt- SYNTAX INTEGER { enabled(1), disabled(2) } ../data/rfc/rfc2513.txt- MAX-ACCESS read-write ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "A control object to indicate the administratively desired ../data/rfc/rfc2513.txt: state of the collection of accounting records across all ../data/rfc/rfc2513.txt- interfaces. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Modifying the value of acctngAdminStatus to 'disabled' does ../data/rfc/rfc2513.txt- not remove or change the current configuration as ../data/rfc/rfc2513.txt- represented by the active rows in the acctngSelectionTable, -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 19] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- "A status object to indicate the operational state of the ../data/rfc/rfc2513.txt: collection of accounting records across all interfaces. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- When the value of acctngAdminStatus is modified to be ../data/rfc/rfc2513.txt- 'enabled', the value of this object will change to 'enabled' ../data/rfc/rfc2513.txt: providing it is possible to begin collecting accounting ../data/rfc/rfc2513.txt- records. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- When the value of acctngAdminStatus is modified to be ../data/rfc/rfc2513.txt- 'disabled', the value of this object will change to ../data/rfc/rfc2513.txt: 'disabled' as soon as the collection of accounting records ../data/rfc/rfc2513.txt- has terminated." ../data/rfc/rfc2513.txt- ::= { acctngInterfaceControl 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngProtection OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX TestAndIncr -- ../data/rfc/rfc2513.txt- "A control object to protect against duplication of control ../data/rfc/rfc2513.txt- commands. Over some transport/network protocols, it is ../data/rfc/rfc2513.txt- possible for SNMP messages to get duplicated. Such ../data/rfc/rfc2513.txt- duplication, if it occurred at just the wrong time could ../data/rfc/rfc2513.txt- cause serious disruption to the collection and retrieval of ../data/rfc/rfc2513.txt: accounting data, e.g., if a SNMP message setting ../data/rfc/rfc2513.txt- acctngFileCommand to 'swapToNewFile' were to be duplicated, ../data/rfc/rfc2513.txt: a whole file of accounting data could be lost. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- To protect against such duplication, a management ../data/rfc/rfc2513.txt- application should retrieve the value of this object, and ../data/rfc/rfc2513.txt- include in the Set operation needing protection, a variable ../data/rfc/rfc2513.txt- binding which sets this object to the retrieved value." -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 20] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- current file as and when that file becomes full." ../data/rfc/rfc2513.txt- ::= { acctngInterfaceControl 4 } ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt-acctngInterfaceTable OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX SEQUENCE OF AcctngInterfaceEntry ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "A table controlling the collection of accounting data on ../data/rfc/rfc2513.txt- specific interfaces of the switch." ../data/rfc/rfc2513.txt- ::= { acctngInterfaceControl 5 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngInterfaceEntry OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX AcctngInterfaceEntry ../data/rfc/rfc2513.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "An entry which controls whether accounting data is to be ../data/rfc/rfc2513.txt- collected on an interface. The types of interfaces which ../data/rfc/rfc2513.txt- are represented in this table is implementation-specific." ../data/rfc/rfc2513.txt- INDEX { ifIndex } ../data/rfc/rfc2513.txt- ::= { acctngInterfaceTable 1 } ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt-acctngInterfaceEnable OBJECT-TYPE ../data/rfc/rfc2513.txt- SYNTAX TruthValue ../data/rfc/rfc2513.txt- MAX-ACCESS read-write ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt: "Indicates whether the collection of accounting data is ../data/rfc/rfc2513.txt- enabled on this interface." ../data/rfc/rfc2513.txt- ::= { acctngInterfaceEntry 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt--- Objects for controlling the use of Notifications ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 21] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- full' trap is generated. The value of 0 indicates that no ../data/rfc/rfc2513.txt- 'nearly-full' trap is to be generated." ../data/rfc/rfc2513.txt- ::= { acctngTrapControl 1 } -- ../data/rfc/rfc2513.txt- acctngFileFull traps are enabled." ../data/rfc/rfc2513.txt- ::= { acctngTrapControl 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt--- notifications ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:acctngNotifications OBJECT IDENTIFIER ::= { accountingControlMIB 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngNotifyPrefix OBJECT IDENTIFIER ::= { acctngNotifications 0 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngFileNearlyFull NOTIFICATION-TYPE -- ../data/rfc/rfc2513.txt- acctngControlTrapThreshold, ../data/rfc/rfc2513.txt- acctngFileNameSuffix } ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "An indication that the size of the file into which ../data/rfc/rfc2513.txt: accounting information is currently being collected has ../data/rfc/rfc2513.txt- exceeded the threshold percentage of its maximum file size. ../data/rfc/rfc2513.txt- This notification is generated only at the time of the ../data/rfc/rfc2513.txt- transition from not-exceeding to exceeding." ../data/rfc/rfc2513.txt- ::= { acctngNotifyPrefix 1 } ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- acctngFileMaximumSize, ../data/rfc/rfc2513.txt- acctngFileNameSuffix } ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "An indication that the size of the file into which ../data/rfc/rfc2513.txt: accounting information is currently being collected has ../data/rfc/rfc2513.txt- transistioned to its maximum file size. This notification ../data/rfc/rfc2513.txt- is generated (for all values of acctngAgentMode) at the time ../data/rfc/rfc2513.txt- of the transition from not-full to full. If acctngAgentMode ../data/rfc/rfc2513.txt- has the value 'swapOnCommand', it is also generated ../data/rfc/rfc2513.txt- periodically thereafter until such time as collection of ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 22] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- data is no longer inhibited by the file full condition." ../data/rfc/rfc2513.txt- ::= { acctngNotifyPrefix 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt--- conformance information ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:acctngConformance OBJECT IDENTIFIER ::= { accountingControlMIB 3 } ../data/rfc/rfc2513.txt-acctngGroups OBJECT IDENTIFIER ::= { acctngConformance 1 } ../data/rfc/rfc2513.txt-acctngCompliances OBJECT IDENTIFIER ::= { acctngConformance 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngCompliance MODULE-COMPLIANCE ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "The compliance statement for switches which implement the ../data/rfc/rfc2513.txt: Accounting Control MIB." ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- MODULE -- this module ../data/rfc/rfc2513.txt- MANDATORY-GROUPS { acctngBasicGroup, ../data/rfc/rfc2513.txt- acctngNotificationsGroup } ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 23] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- MIN-ACCESS read-only ../data/rfc/rfc2513.txt- DESCRIPTION "The minimal requirement is for collection on ../data/rfc/rfc2513.txt- connection release." -- ../data/rfc/rfc2513.txt- acctngControlTrapEnable ../data/rfc/rfc2513.txt- } ../data/rfc/rfc2513.txt- STATUS current ../data/rfc/rfc2513.txt- DESCRIPTION ../data/rfc/rfc2513.txt- "A collection of objects providing control of the basic ../data/rfc/rfc2513.txt: collection of accounting data for connection-oriented ../data/rfc/rfc2513.txt- networks." ../data/rfc/rfc2513.txt- ::= { acctngGroups 1 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-acctngNotificationsGroup NOTIFICATION-GROUP ../data/rfc/rfc2513.txt- NOTIFICATIONS { acctngFileNearlyFull, acctngFileFull } -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 24] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- "The notifications of events relating to controlling the ../data/rfc/rfc2513.txt: collection of accounting data." ../data/rfc/rfc2513.txt- ::= { acctngGroups 2 } ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-END ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-5. Acknowledgements -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 25] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message ../data/rfc/rfc2513.txt- Processing and Dispatching for the Simple Network Management ../data/rfc/rfc2513.txt- Protocol (SNMP)", RFC 2272, January 1998. -- ../data/rfc/rfc2513.txt- "Specification of Basic Encoding Rules for Abstract Syntax ../data/rfc/rfc2513.txt- Notation One (ASN.1)", International Organization for ../data/rfc/rfc2513.txt- Standardization, Internation Standard 8825, December 1987. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- [19] McCloghrie, K., Heinanen, J., Greene, W. and A. Prasad, ../data/rfc/rfc2513.txt: "Accounting Information for ATM Networks", RFC 2512, February ../data/rfc/rfc2513.txt- 1999. ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- [20] Noto, M., Spiegel, E., and K. Tesink, "Definitions of Textual ../data/rfc/rfc2513.txt- Conventions and OBJECT-IDENTITIES for ATM Management", RFC 2514, ../data/rfc/rfc2513.txt- February 1999. -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 26] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-7. Security Considerations ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- The MIB defined in this memo controls and monitors the collection of ../data/rfc/rfc2513.txt: accounting data. Care should be taken to prohibit unauthorized ../data/rfc/rfc2513.txt- access to this control capability in order to prevent the disruption ../data/rfc/rfc2513.txt- of data collection, possibly with fraudulent intent. Example of such ../data/rfc/rfc2513.txt- disruption are disabling the collection of data, or causing the wrong ../data/rfc/rfc2513.txt- set of data items to be collected. ../data/rfc/rfc2513.txt- -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 27] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-9. Authors' Addresses ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Keith McCloghrie -- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-McCloghrie, et. al. Standards Track [Page 28] ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt:RFC 2513 Connection-Oriented Accounting MIB February 1999 ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt-10. Full Copyright Statement ../data/rfc/rfc2513.txt- ../data/rfc/rfc2513.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. -- ../data/rfc/rfc4838.txt-4.2. Custody Transfer State ../data/rfc/rfc4838.txt- ../data/rfc/rfc4838.txt- Custody transfer state includes information required to keep account ../data/rfc/rfc4838.txt- of bundles for which a node has taken custody, as well as the ../data/rfc/rfc4838.txt- protocol state related to transferring custody for one or more of ../data/rfc/rfc4838.txt: them. The accounting-related state is created when a bundle is ../data/rfc/rfc4838.txt- received. Custody transfer retransmission state is created when a ../data/rfc/rfc4838.txt- transfer of custody is initiated by forwarding a bundle with the ../data/rfc/rfc4838.txt- custody transfer requested delivery option specified. Retransmission ../data/rfc/rfc4838.txt: state and accounting state may be released upon receipt of one or ../data/rfc/rfc4838.txt- more Custody Transfer Succeeded signals, indicating custody has been ../data/rfc/rfc4838.txt- moved. In addition, the bundle's expiration time (possibly mitigated ../data/rfc/rfc4838.txt- by local policy) provides an upper bound on the time when this state ../data/rfc/rfc4838.txt- is purged from the system in the event that it is not purged ../data/rfc/rfc4838.txt- explicitly due to receipt of a signal. -- ../data/rfc/rfc5666.txt- ../data/rfc/rfc5666.txt-RFC 5666 RDMA Transport for RPC January 2010 ../data/rfc/rfc5666.txt- ../data/rfc/rfc5666.txt- ../data/rfc/rfc5666.txt- account for its required Done messages to the server in its ../data/rfc/rfc5666.txt: accounting of available credits, and the server SHOULD replenish any ../data/rfc/rfc5666.txt- credit consumed by its use of such exchanges at its earliest ../data/rfc/rfc5666.txt- opportunity. ../data/rfc/rfc5666.txt- ../data/rfc/rfc5666.txt- Finally, it is possible to conceive of RPC exchanges that involve any ../data/rfc/rfc5666.txt- or all combinations of write chunks in the RPC call, read chunks in -- ../data/rfc/rfc7554.txt- RPL is able to quickly build up network routes, distribute routing ../data/rfc/rfc7554.txt- knowledge among nodes, and adapt to a changing topology. In a ../data/rfc/rfc7554.txt- typical setting, nodes are connected through multi-hop paths to a ../data/rfc/rfc7554.txt- small set of root devices, which are usually responsible for data ../data/rfc/rfc7554.txt- collection and coordination. For each of them, a Destination- ../data/rfc/rfc7554.txt: Oriented Directed Acyclic Graph (DODAG) is created by accounting for ../data/rfc/rfc7554.txt- link costs, node attributes/status information, and an Objective ../data/rfc/rfc7554.txt- Function, which maps the optimization requirements of the target ../data/rfc/rfc7554.txt- scenario. ../data/rfc/rfc7554.txt- ../data/rfc/rfc7554.txt- The topology is set up based on a Rank metric, which encodes the -- ../data/rfc/rfc7598.txt- address bits). ../data/rfc/rfc7598.txt- ../data/rfc/rfc7598.txt- The DHCPv6 options described here tie the provisioning parameters, ../data/rfc/rfc7598.txt- and hence the IPv4 service itself, to the End-user IPv6 prefix ../data/rfc/rfc7598.txt- lifetime. The validity of a Softwire46's IPv4 address, prefix, or ../data/rfc/rfc7598.txt: shared IPv4 address; port set; and any authorization and accounting ../data/rfc/rfc7598.txt- are tied to the lifetime of its associated End-user IPv6 prefix. ../data/rfc/rfc7598.txt- ../data/rfc/rfc7598.txt- To support more than one mechanism at a time and to allow for a ../data/rfc/rfc7598.txt- possibility of transition between them, the DHCPv6 Option Request ../data/rfc/rfc7598.txt- Option (ORO) [RFC3315] is used. Each mechanism has a corresponding -- ../data/rfc/rfc2588.txt- sections. ../data/rfc/rfc2588.txt- ../data/rfc/rfc2588.txt- Note that because a firewall is often a convenient place to ../data/rfc/rfc2588.txt- centralize the administration of the intranet, some firewalls might ../data/rfc/rfc2588.txt- also perform additional administrative functions - for example, ../data/rfc/rfc2588.txt: auditing, accounting, and resource monitoring. These additional ../data/rfc/rfc2588.txt- functions, however, are outside the scope of this document, because ../data/rfc/rfc2588.txt- they are not specifically *firewall*-related. They are equally ../data/rfc/rfc2588.txt- applicable to an administrative domain that is not firewalled. ../data/rfc/rfc2588.txt- ../data/rfc/rfc2588.txt-6. Supporting a Multicast Security Policy -- ../data/rfc/rfc585.txt- address system. ../data/rfc/rfc585.txt- ../data/rfc/rfc585.txt- d. (Discussion of the current work on the Mail Protocol indicated ../data/rfc/rfc585.txt- that some of these ideas are already being considered) ../data/rfc/rfc585.txt- ../data/rfc/rfc585.txt: 8. Uniform Accounting Procedures and Online Status of Accounts ../data/rfc/rfc585.txt- ../data/rfc/rfc585.txt- a. This topic was covered in detail by sections of the Resource ../data/rfc/rfc585.txt- Sharing Workshop. It is mentioned here only because it is a ../data/rfc/rfc585.txt- problem of real concern to users. ../data/rfc/rfc585.txt- ../data/rfc/rfc585.txt- 9. Trial Usage and Browsing ../data/rfc/rfc585.txt- ../data/rfc/rfc585.txt- a. Ideally, users should be allowed some `free' sampling of ../data/rfc/rfc585.txt- systems and features available at each site. Practically, this ../data/rfc/rfc585.txt: presents problems of space allocation, accounting, consulting, ../data/rfc/rfc585.txt- etc. Although none of these problems are easy to solve ../data/rfc/rfc585.txt- equitably, an attempt should still be made to provide some free ../data/rfc/rfc585.txt- usage to everyone. ../data/rfc/rfc585.txt- b. Several types of trial usage should be considered, such as for ../data/rfc/rfc585.txt- those who will make an immediate commitment and those who wish -- ../data/rfc/rfc3748.txt- authentication service to an authenticator. When used, this ../data/rfc/rfc3748.txt- server typically executes EAP methods for the authenticator. This ../data/rfc/rfc3748.txt- terminology is also used in [IEEE-802.1X]. ../data/rfc/rfc3748.txt- ../data/rfc/rfc3748.txt- AAA ../data/rfc/rfc3748.txt: Authentication, Authorization, and Accounting. AAA protocols with ../data/rfc/rfc3748.txt- EAP support include RADIUS [RFC3579] and Diameter [DIAM-EAP]. In ../data/rfc/rfc3748.txt- this document, the terms "AAA server" and "backend authentication ../data/rfc/rfc3748.txt- server" are used interchangeably. ../data/rfc/rfc3748.txt- ../data/rfc/rfc3748.txt- Displayable Message -- ../data/rfc/rfc7561.txt- parameters between IEEE 802.11 and PMIPv6 QoS is described in ../data/rfc/rfc7561.txt- Section 4. ../data/rfc/rfc7561.txt- ../data/rfc/rfc7561.txt-1.1. Abbreviations ../data/rfc/rfc7561.txt- ../data/rfc/rfc7561.txt: AAA Authentication, Authorization, and Accounting ../data/rfc/rfc7561.txt- AARP Allocation and Retention Priority ../data/rfc/rfc7561.txt- AC Access Category ../data/rfc/rfc7561.txt- ADDTS ADD Traffic Stream ../data/rfc/rfc7561.txt- AIFS Arbitration Inter-Frame Space ../data/rfc/rfc7561.txt- ALG Application Layer Gateway -- ../data/rfc/rfc3439.txt- TCP good-put [ROMANOV] on ATM showed that large UBR buffers (larger ../data/rfc/rfc3439.txt- than one TCP window size) are required to achieve reasonable ../data/rfc/rfc3439.txt- performance, that packet discard mechanisms (such as Early Packet ../data/rfc/rfc3439.txt- Discard, or EPD) improve the effective usage of the bandwidth and ../data/rfc/rfc3439.txt- that more elaborate service and drop strategies than FIFO+EPD, such ../data/rfc/rfc3439.txt: as per VC queuing and accounting, might be required at the bottleneck ../data/rfc/rfc3439.txt- to ensure both high efficiency and fairness. Though all studies ../data/rfc/rfc3439.txt- clearly indicate that a buffer size not less than one TCP window size ../data/rfc/rfc3439.txt- is required, the amount of extra buffer required naturally depends on ../data/rfc/rfc3439.txt- the packet discard mechanism used and is still an open issue. ../data/rfc/rfc3439.txt- -- ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- NWG/RFC #s: 76 ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- 76 describes the PDP-11 ARPA Network Terminal System implementation. ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt:H. ACCOUNTING ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- To be published: B. Kahn, BBN, will generate an RFC discussing ../data/rfc/rfc100.txt: important considerations for an accounting mechanism. ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- NWG.RFC #s: 77, 82 ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- This topic will be addressed by the long-range Host/Host protocol ../data/rfc/rfc100.txt- committee, set up at the Network meeting, University of Illinois, ../data/rfc/rfc100.txt- February 1971. ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt: 77 and 82 discuss the need for some network accounting scheme, ../data/rfc/rfc100.txt- primarily for sites classified as Service Centers rather than ../data/rfc/rfc100.txt- Research Centers. ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- -- ../data/rfc/rfc100.txt- NWG/RFC #s: 88, 90 ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- G.5 Illinois ../data/rfc/rfc100.txt- NWG/RFC #s: 76 ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt: H. ACCOUNTING ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- NWG/RFC #s: 77, 82 ../data/rfc/rfc100.txt- ../data/rfc/rfc100.txt- I. OTHER ../data/rfc/rfc100.txt- -- ../data/rfc/rfc4201.txt- 3.6. Maximum Bandwidth ...................................... 8 ../data/rfc/rfc4201.txt- 3.7. Maximum Reservable Bandwidth ........................... 8 ../data/rfc/rfc4201.txt- 3.8. Unreserved Bandwidth ................................... 8 ../data/rfc/rfc4201.txt- 3.9. Resource Classes (Administrative Groups) ............... 8 ../data/rfc/rfc4201.txt- 3.10. Maximum LSP Bandwidth ................................. 8 ../data/rfc/rfc4201.txt: 4. Bandwidth Accounting ......................................... 9 ../data/rfc/rfc4201.txt- 5. Security Considerations ...................................... 9 ../data/rfc/rfc4201.txt- 6. IANA Considerations .......................................... 9 ../data/rfc/rfc4201.txt- 7. References ................................................... 10 ../data/rfc/rfc4201.txt- 7.1. Normative References ................................... 10 ../data/rfc/rfc4201.txt- 7.2. Informative References ................................. 11 -- ../data/rfc/rfc4201.txt- ../data/rfc/rfc4201.txt- The details of how Maximum LSP Bandwidth is carried in IS-IS is given ../data/rfc/rfc4201.txt- in [GMPLS-ISIS]. The details of how Maximum LSP Bandwidth is carried ../data/rfc/rfc4201.txt- in OSPF is given in [GMPLS-OSPF]. ../data/rfc/rfc4201.txt- ../data/rfc/rfc4201.txt:4. Bandwidth Accounting ../data/rfc/rfc4201.txt- ../data/rfc/rfc4201.txt- The RSVP (or CR-LDP) Traffic Control module, or its equivalent, on an ../data/rfc/rfc4201.txt- LSR with bundled links must apply admission control on a per- ../data/rfc/rfc4201.txt- component link basis. An LSP with a bandwidth requirement b and ../data/rfc/rfc4201.txt- setup priority p fits in a bundled link if at least one component -- ../data/rfc/rfc487.txt-privileges - for example, store commands can be implemented via an ../data/rfc/rfc487.txt-append mechanism. If I wanted a file sent to me I could create an empty ../data/rfc/rfc487.txt-file with unlimited append access. I would then inform the foreign user ../data/rfc/rfc487.txt-to store (append?) to that file. ../data/rfc/rfc487.txt- ../data/rfc/rfc487.txt: The problem of accounting is somewhat more complex. Clearly, ../data/rfc/rfc487.txt-storing a file in a user's directory can be charged to that user. When ../data/rfc/rfc487.txt-retrieving a file from a general system directory, there is no "user" ../data/rfc/rfc487.txt-specified, and overhead may have to be billed. The former case involved ../data/rfc/rfc487.txt-both CPU time for transfer and secondary storage charges for storing the ../data/rfc/rfc487.txt-new file. In the latter case, only CPU charges are involved, and these -- ../data/rfc/rfc6252.txt- The handover delay is attributed to several factors, such as ../data/rfc/rfc6252.txt- discovery, configuration, authentication, binding update, and media ../data/rfc/rfc6252.txt- delivery. Many of the security-related procedures, such as handover ../data/rfc/rfc6252.txt- keying and re-authentication procedures, deal with cases where there ../data/rfc/rfc6252.txt- is a single source of trust at the top, and the underlying ../data/rfc/rfc6252.txt: Authentication, Authorization, and Accounting (AAA) domain elements ../data/rfc/rfc6252.txt- trust the top source of trust and the keys it generates and ../data/rfc/rfc6252.txt- distributes. In this scenario, there is an appreciable delay in ../data/rfc/rfc6252.txt- re-establishing link-security-related parameters, such as ../data/rfc/rfc6252.txt- authentication, link key management, and access authorization during ../data/rfc/rfc6252.txt- inter-domain handover. The focus of this document is the design of a -- ../data/rfc/rfc6098.txt-3.2.2. Notification Message between a Foreign Agent and a Mobile Node ../data/rfc/rfc6098.txt- ../data/rfc/rfc6098.txt- There are two cases where an FA may send notification messages to an ../data/rfc/rfc6098.txt- MN -- one where it is relaying a message, the other where the ../data/rfc/rfc6098.txt- notification is triggered by a message from another network entity, ../data/rfc/rfc6098.txt: for example, an Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6098.txt- node. (Notification messages between a AAA entity and the FA could ../data/rfc/rfc6098.txt- be based on RADIUS or Diameter, but this is out of scope for this ../data/rfc/rfc6098.txt- document.) If the notification is initiated by an FA, the FA may ../data/rfc/rfc6098.txt- also need to notify the HA about the event. ../data/rfc/rfc6098.txt- -- ../data/rfc/rfc8578.txt- Utilities often have very large private telecommunications networks ../data/rfc/rfc8578.txt- that can cover an entire territory/country. Until now, the main ../data/rfc/rfc8578.txt- purposes of these networks have been to (1) support transmission ../data/rfc/rfc8578.txt- network monitoring, control, and automation, (2) support remote ../data/rfc/rfc8578.txt- control of generation sites, and (3) provide FCAPS (Fault, ../data/rfc/rfc8578.txt: Configuration, Accounting, Performance, and Security) services from ../data/rfc/rfc8578.txt- centralized network operation centers. ../data/rfc/rfc8578.txt- ../data/rfc/rfc8578.txt- Going forward, one network will support the operation and maintenance ../data/rfc/rfc8578.txt- of electrical networks (generation, transmission, and distribution), ../data/rfc/rfc8578.txt- voice and data services for tens of thousands of employees and for -- ../data/rfc/rfc6728.txt-1. Introduction ../data/rfc/rfc6728.txt- ../data/rfc/rfc6728.txt- IPFIX- and PSAMP-compliant Monitoring Devices (routers, switches, ../data/rfc/rfc6728.txt- monitoring probes, Collectors, etc.) offer various configuration ../data/rfc/rfc6728.txt- possibilities that allow adapting network monitoring to the goals and ../data/rfc/rfc6728.txt: purposes of the application, such as accounting and charging, traffic ../data/rfc/rfc6728.txt- analysis, performance monitoring, and security monitoring. The use ../data/rfc/rfc6728.txt- of a common vendor-independent configuration data model for IPFIX- ../data/rfc/rfc6728.txt- and PSAMP-compliant Monitoring Devices facilitates network management ../data/rfc/rfc6728.txt- and configuration, especially if Monitoring Devices of different ../data/rfc/rfc6728.txt- implementers or manufacturers are deployed simultaneously. On the -- ../data/rfc/rfc6645.txt-Request for Comments: 6645 Cisco Systems, Inc. ../data/rfc/rfc6645.txt-Category: Informational July 2012 ../data/rfc/rfc6645.txt-ISSN: 2070-1721 ../data/rfc/rfc6645.txt- ../data/rfc/rfc6645.txt- ../data/rfc/rfc6645.txt: IP Flow Information Accounting and ../data/rfc/rfc6645.txt- Export Benchmarking Methodology ../data/rfc/rfc6645.txt- ../data/rfc/rfc6645.txt-Abstract ../data/rfc/rfc6645.txt- ../data/rfc/rfc6645.txt- This document provides a methodology and framework for quantifying -- ../data/rfc/rfc2801.txt- ../data/rfc/rfc2801.txt- o there are ways in which they can get their problems fixed through ../data/rfc/rfc2801.txt- the merchant (rather than the bank!) ../data/rfc/rfc2801.txt- ../data/rfc/rfc2801.txt- o there is a record of their transaction which can be used, for ../data/rfc/rfc2801.txt: example, to feed into accounting systems or, potentially, to ../data/rfc/rfc2801.txt- present to the tax authorities ../data/rfc/rfc2801.txt- ../data/rfc/rfc2801.txt-1.3 Baseline IOTP ../data/rfc/rfc2801.txt- ../data/rfc/rfc2801.txt- This specification is Baseline IOTP. It is a Baseline in that it -- ../data/rfc/rfc6934.txt- 4.2.2. All-ANCP ANX Control ...............................12 ../data/rfc/rfc6934.txt- 5. Concept of Access Node Control Mechanism for PON-Based Access ..13 ../data/rfc/rfc6934.txt- 6. Multicast ......................................................16 ../data/rfc/rfc6934.txt- 6.1. Multicast Conditional Access ..............................16 ../data/rfc/rfc6934.txt- 6.2. Multicast Admission Control ...............................18 ../data/rfc/rfc6934.txt: 6.3. Multicast Accounting ......................................30 ../data/rfc/rfc6934.txt- 7. Remote Connectivity Check ......................................31 ../data/rfc/rfc6934.txt- 8. Access Topology Discovery ......................................32 ../data/rfc/rfc6934.txt- 9. Access Loop Configuration ......................................34 ../data/rfc/rfc6934.txt- 10. Security Considerations .......................................34 ../data/rfc/rfc6934.txt- 11. Differences in ANCP Applicability between DSL and PON .........35 -- ../data/rfc/rfc6934.txt- identifiers. In the case of N:1 representation, the single VLAN ../data/rfc/rfc6934.txt- inserted by ANX could correspond to the PON interface on the OLT. ../data/rfc/rfc6934.txt- The access loop is represented via Customer-Port-ID received in the ../data/rfc/rfc6934.txt- "Agent Circuit ID" sub-option in DHCP messages. ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt: The NAS can perform bandwidth accounting on received IGMP messages. ../data/rfc/rfc6934.txt- The video bandwidth is also consumed by any unicast video being ../data/rfc/rfc6934.txt: delivered to the CPE. NAS can perform video bandwidth accounting and ../data/rfc/rfc6934.txt- control on both IGMP messages and on requests for unicast video ../data/rfc/rfc6934.txt- streams when either all unicast admission control is done by the NAS ../data/rfc/rfc6934.txt- or an external policy server makes a request to the NAS for using ../data/rfc/rfc6934.txt- shared bandwidth with multicast as described later in the document. ../data/rfc/rfc6934.txt- -- ../data/rfc/rfc6934.txt- requesting a policy server for bandwidth-based admission control for ../data/rfc/rfc6934.txt- the VoD stream. After authorizing the request, the policy server can ../data/rfc/rfc6934.txt- send a request to the NAS for the required bandwidth if it needs to ../data/rfc/rfc6934.txt- use bandwidth that is shared with multicast. This request may be ../data/rfc/rfc6934.txt- based on a protocol outside of the scope of this document. The NAS ../data/rfc/rfc6934.txt: checks if the available video bandwidth (accounting for both ../data/rfc/rfc6934.txt- multicast and unicast) per subscriber and for the link to the OLT is ../data/rfc/rfc6934.txt- sufficient for the request. If it is, it temporarily reserves the ../data/rfc/rfc6934.txt- bandwidth and sends an ANCP admission request to the OLT for the ../data/rfc/rfc6934.txt- subscriber, indicating the desired VoD bandwidth. If the OLT has ../data/rfc/rfc6934.txt- sufficient bandwidth on the corresponding PON, it reserves that -- ../data/rfc/rfc6934.txt- NAS, the policy server may make the admission request to the NAS. ../data/rfc/rfc6934.txt- The NAS then sends an ANCP admission request to the OLT on behalf of ../data/rfc/rfc6934.txt- the policy server. The NAS returns an accept or reject to the policy ../data/rfc/rfc6934.txt- server if it gets a reject or accept, respectively, from the OLT. ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt:6.3. Multicast Accounting ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- It may be desirable to perform accurate time- or volume-based ../data/rfc/rfc6934.txt: accounting per user or per access loop. If the ANX is performing the ../data/rfc/rfc6934.txt- traffic replication process, it knows when replication of a multicast ../data/rfc/rfc6934.txt- flow to a particular Access Port or user starts and stops. Multicast ../data/rfc/rfc6934.txt: accounting can be addressed in two ways: ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- -- ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- - ANX keeps track of when replication starts or stops and reports ../data/rfc/rfc6934.txt- this information to the NAS for further processing. In this case, ../data/rfc/rfc6934.txt- ANCP can be used to send the information from the ANX to the NAS. ../data/rfc/rfc6934.txt- This can be done with the Information Report message. The NAS can ../data/rfc/rfc6934.txt: then generate the appropriate time and/or volume accounting ../data/rfc/rfc6934.txt- information per access loop and per multicast flow to be sent to ../data/rfc/rfc6934.txt: the accounting system. The ANCP requirements to support this ../data/rfc/rfc6934.txt- approach are specified in [RFC5851]. If the replication function ../data/rfc/rfc6934.txt- is distributed between the OLT and ONT/ONU, a query from the NAS ../data/rfc/rfc6934.txt- will result in OLT generating a query to the ONT/ONU. ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- - ANX keeps track of when replication starts or stops and generates ../data/rfc/rfc6934.txt: the time- and/or volume-based accounting information per access ../data/rfc/rfc6934.txt- loop and per multicast flow, before sending it to a central ../data/rfc/rfc6934.txt: accounting system for logging. Since ANX communicates with this ../data/rfc/rfc6934.txt: accounting system directly, the approach does not require the use ../data/rfc/rfc6934.txt- of ANCP. It is therefore beyond the scope of this document. It ../data/rfc/rfc6934.txt- may also be desirable for the NAS to have the capability to ../data/rfc/rfc6934.txt- asynchronously query the ANX to obtain an instantaneous status ../data/rfc/rfc6934.txt- report related to multicast flows currently replicated by the ANX. ../data/rfc/rfc6934.txt- Such a reporting functionality could be useful for troubleshooting -- ../data/rfc/rfc6934.txt-Bitar, et al. Informational [Page 34] ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt-RFC 6934 ANCP in PON-Based Networks June 2013 ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt: User activity logging for accounting or tracking purposes could raise ../data/rfc/rfc6934.txt- privacy concerns if not appropriately protected. To protect such ../data/rfc/rfc6934.txt: information, logging/accounting information can be exchanged with the ../data/rfc/rfc6934.txt- corresponding server over a secure channel, and the information can ../data/rfc/rfc6934.txt- be stored securely with policy-driven controlled access. ../data/rfc/rfc6934.txt- ../data/rfc/rfc6934.txt-11. Differences in ANCP Applicability between DSL and PON ../data/rfc/rfc6934.txt- -- ../data/rfc/rfc3483.txt-Abstract ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- Common Open Policy Services (COPS) Protocol (RFC 2748), defines the ../data/rfc/rfc3483.txt- capability of reporting information to the Policy Decision Point ../data/rfc/rfc3483.txt- (PDP). The types of report information are success, failure and ../data/rfc/rfc3483.txt: accounting of an installed state. This document focuses on the COPS ../data/rfc/rfc3483.txt: Report Type of Accounting and the necessary framework for the ../data/rfc/rfc3483.txt- monitoring and reporting of usage feedback for an installed state. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-Conventions used in this document ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc3483.txt-RFC 3483 COPS Feedback Framework March 2003 ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The scope of this document is to describe the framework for policy ../data/rfc/rfc3483.txt- usage monitored and reported by the PEP and collected at the PDP. ../data/rfc/rfc3483.txt: The charging, rating and billing models, as well as other accounting ../data/rfc/rfc3483.txt- or statistics gathering events, detectable by the PDP are beyond the ../data/rfc/rfc3483.txt- scope of this framework. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-2 Overview ../data/rfc/rfc3483.txt- -- ../data/rfc/rfc3483.txt- like thresholds or a change in the data. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-3 Requirements for Normal Operations ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- Per COPS [RFC2748], the PDP specifies the minimum feedback interval ../data/rfc/rfc3483.txt: in the Accounting Timer object that is included in the Client Accept ../data/rfc/rfc3483.txt- message during connection establishment. This specifies the maximum ../data/rfc/rfc3483.txt: frequency with which the PEP issues unsolicited accounting type ../data/rfc/rfc3483.txt- report messages. The purpose of this interval is to pace the number ../data/rfc/rfc3483.txt- of report messages sent to the PDP. It is not the goal of the ../data/rfc/rfc3483.txt- interval defined by the ACCT Timer value to provide precision ../data/rfc/rfc3483.txt- synchronization or timing. ../data/rfc/rfc3483.txt- -- ../data/rfc/rfc3483.txt- feedback reporting are defined by the PDP. Feedback policies, which ../data/rfc/rfc3483.txt- define the necessary selection and linkages to usage feedback ../data/rfc/rfc3483.txt- criteria, are included by the PDP in a Decision message to the PEP. ../data/rfc/rfc3483.txt- The usage feedback is then periodically reported by the PEP, at ../data/rfc/rfc3483.txt- intervals defined in the linkage policies at a rate no more ../data/rfc/rfc3483.txt: frequently than specified in the Accounting Timer object. Note that ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-Rawlins, et al. Informational [Page 3] ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-RFC 3483 COPS Feedback Framework March 2003 ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- there are exceptions where reports containing feedback are provided ../data/rfc/rfc3483.txt: prior to the Accounting Timer interval (see section 6). The PDP may ../data/rfc/rfc3483.txt- also solicit usage feedback which is to be reported back immediately ../data/rfc/rfc3483.txt- by the PEP. Usage information may be cleared upon reporting. This ../data/rfc/rfc3483.txt- is specified in the usage policy criteria. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The PEP monitors and tracks the usage feedback information. The PDP ../data/rfc/rfc3483.txt- is the collection point for the policy usage feedback information ../data/rfc/rfc3483.txt- reported by the PEP clients within the administrative domain. The ../data/rfc/rfc3483.txt: PDP may also collect other accounting event information that is ../data/rfc/rfc3483.txt- outside the scope of this document. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-4 Periodic Nature of Policy Usage Feedback ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- Generally the policy usage feedback is periodic in nature and the -- ../data/rfc/rfc3483.txt- the interval defined by the PDP. The periodic unsolicited reports ../data/rfc/rfc3483.txt- are dictated by timer intervals and use a deterministic amount of ../data/rfc/rfc3483.txt- network resources. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The PDP informs the PEP of the minimal feedback interval during ../data/rfc/rfc3483.txt: client connection establishment with the Accounting Timer object. ../data/rfc/rfc3483.txt- The PDP may specify feedback intervals in the specific usage feedback ../data/rfc/rfc3483.txt- policies as well. The unsolicited monitoring and reporting by the ../data/rfc/rfc3483.txt- PEP may be suspended and resumed at the direction of the PDP. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-4.1 Reporting Intervals -- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The periodic feedback for a usage policy can be further defined in ../data/rfc/rfc3483.txt- terms of providing feedback if there is a change or providing ../data/rfc/rfc3483.txt- feedback periodically regardless of a change in value. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt: The periodic interval is defined in terms of the Accounting Object, ../data/rfc/rfc3483.txt- ACCT Timer value. A single interval is equal to the number of ../data/rfc/rfc3483.txt- seconds specified by the ACCT Timer value. The PDP may define a ../data/rfc/rfc3483.txt- specific number of intervals, which are to pass before the PEP ../data/rfc/rfc3483.txt- provides the usage feedback for a specific policy in a report. When ../data/rfc/rfc3483.txt- the ACCT Timer value is equal to zero there is no unsolicited usage -- ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The PEP, upon receiving a solicit decision from the PDP, shall ../data/rfc/rfc3483.txt- provide the requested usage information and clear the usage ../data/rfc/rfc3483.txt- information if the usage policy requires that the attribute be ../data/rfc/rfc3483.txt- cleared after reporting. The PEP should continue to maintain the ../data/rfc/rfc3483.txt: same interval schedule as defined by the PDP in the Accounting Timer ../data/rfc/rfc3483.txt- object and established at client connection acceptance. ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt-5 Suspension, Resumption and Halting of Usage Monitoring and Reporting ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- The PDP may direct the PEP to suspend usage feedback report messages -- ../data/rfc/rfc3483.txt-6 Solicited Feedback ../data/rfc/rfc3483.txt- ../data/rfc/rfc3483.txt- There may be instances when it is useful for the PDP to control the ../data/rfc/rfc3483.txt- feedback per an on-demand basis rather than a periodic basis. The ../data/rfc/rfc3483.txt- PDP may solicit the PEP for usage feedback with a Decision. The PDP ../data/rfc/rfc3483.txt: may solicit usage feedback at any time during the accounting interval ../data/rfc/rfc3483.txt- defined by the ACCT Timer. The PEP responds immediately and reports ../data/rfc/rfc3483.txt- the appropriate usage policies and should continue to follow the ../data/rfc/rfc3483.txt- usage feedback interval schedule established during connection ../data/rfc/rfc3483.txt- acceptance. ../data/rfc/rfc3483.txt- -- ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- An Id is represented in the Protocol by the command: ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- ID <id> <CA> ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt: Ids have nothing to do with accounting, and when required by a ../data/rfc/rfc524.txt- server, they're required only to protect that server from forgery ../data/rfc/rfc524.txt- or misrepresentation. ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- INDIVIDUAL ../data/rfc/rfc524.txt- -- ../data/rfc/rfc524.txt- Agents (who implement the User Verification Function); and many hosts ../data/rfc/rfc524.txt- who implement the Delivery and Forwarding functions. ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- In general, a host is free to implement any, all, or none of the ../data/rfc/rfc524.txt- functions defined by the Protocol; and a host is free to require a ../data/rfc/rfc524.txt: login (for purposes of accounting) before permitting a user process ../data/rfc/rfc524.txt- access to any of the function(s) it has implemented. ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- An FTP server process who chooses to not implement MP or a particular ../data/rfc/rfc524.txt- MP function simply rejects the command that requests the ../data/rfc/rfc524.txt- unimplemented server with the reply: -- ../data/rfc/rfc524.txt- commands are: ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- BYTE, SOCK, PASV, TYPE, STRU, MODE, REST, and SITE. ../data/rfc/rfc524.txt- ../data/rfc/rfc524.txt- The following commands borrowed from FTP are defined (also) as MP ../data/rfc/rfc524.txt: commands to permit changes of accounting parameters within the MP ../data/rfc/rfc524.txt: subsystem. The accounting parameters in force when the subsystem ../data/rfc/rfc524.txt- is entered apply (if necessary) within the subsystem until ../data/rfc/rfc524.txt- changed. Values to which the parameters may have been changed ../data/rfc/rfc524.txt- while in the subsystem continue in effect upon return to the FTP ../data/rfc/rfc524.txt- command space. The borrowed commands are: ../data/rfc/rfc524.txt- -- ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- 5. Three types of AAA messages are required: ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- - authorization requests and responses for obtaining ../data/rfc/rfc2905.txt- authorization, ../data/rfc/rfc2905.txt: - notification messages for accounting purposes, and ../data/rfc/rfc2905.txt- - information requests and responses for getting information ../data/rfc/rfc2905.txt- regarding the correct construction of requests and for querying ../data/rfc/rfc2905.txt- the database of notifications. ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt-8. Security Considerations -- ../data/rfc/rfc2905.txt- Requirements", Work in Progress. ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- [10] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- [11] Glass, Steven, et al, "Mobile IP Authentication, Authorization, ../data/rfc/rfc2905.txt: and Accounting Requirements", Work in Progress. ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- [12] Hiller, Tom, et al., "cdma2000 Wireless Data Requirements for ../data/rfc/rfc2905.txt- AAA", Work in Progress. ../data/rfc/rfc2905.txt- ../data/rfc/rfc2905.txt- [13] Neilson, Rob, Jeff Wheeler, Francis Reichmeyer, and Susan Hares, -- ../data/rfc/rfc1114.txt- which is "transparent" so that the organizations appear to be the ../data/rfc/rfc1114.txt- issuers with regard to certificate formats and validation procedures. ../data/rfc/rfc1114.txt- This is effected by having RSADSI generate and hold the secret ../data/rfc/rfc1114.txt- components used to sign certificates on behalf of organizations. The ../data/rfc/rfc1114.txt- motivation for RSADSI's role in certificate signing is twofold. ../data/rfc/rfc1114.txt: First, it simplifies accounting controls in support of licensing, ../data/rfc/rfc1114.txt- ensuring that RSADSI is paid for each certificate. Second, it ../data/rfc/rfc1114.txt- contributes to the overall integrity of the system by establishing a ../data/rfc/rfc1114.txt- uniform, high level of protection for the private-components used to ../data/rfc/rfc1114.txt- sign certificates. If an organization were to sign certificates ../data/rfc/rfc1114.txt- directly on behalf of its affiliated users, the organization would ../data/rfc/rfc1114.txt: have to establish very stringent security and accounting mechanisms ../data/rfc/rfc1114.txt- and enter into (elaborate) legal agreements with RSADSI in order to ../data/rfc/rfc1114.txt- provide a comparable level of assurance. Requests by organizations ../data/rfc/rfc1114.txt- to perform direct certificate signing will be considered on a case- ../data/rfc/rfc1114.txt- by-case basis, but organizations are strongly urged to make use of ../data/rfc/rfc1114.txt- the facilities proposed by this RFC. -- ../data/rfc/rfc1114.txt- organization certificate, it would need to contact RSADSI to discuss ../data/rfc/rfc1114.txt- security safeguards, special legal agreements, etc. A number of ../data/rfc/rfc1114.txt- requirements would be imposed on an organization if such an approach ../data/rfc/rfc1114.txt- were persued. The organization would be required to execute ../data/rfc/rfc1114.txt- additional legal instruments with RSADSI, e.g., to ensure proper ../data/rfc/rfc1114.txt: accounting for certificates generated by the organization. Special ../data/rfc/rfc1114.txt- software will be required to support the certificate signing process, ../data/rfc/rfc1114.txt- distinct from the software required for an ON. Stringent procedural, ../data/rfc/rfc1114.txt- physical, personnel and computer security safeguards would be ../data/rfc/rfc1114.txt- required to support this process, to maintain a relatively high level ../data/rfc/rfc1114.txt- of security for the system as a whole. Thus, at this time, it is not -- ../data/rfc/rfc1688.txt- future services. ../data/rfc/rfc1688.txt- ../data/rfc/rfc1688.txt- Ownership information could be used by other nodes to ascertain the ../data/rfc/rfc1688.txt- current topological location of the Mobile Node. ../data/rfc/rfc1688.txt- ../data/rfc/rfc1688.txt: Ownership information could also be used for generation of accounting ../data/rfc/rfc1688.txt- records. ../data/rfc/rfc1688.txt- ../data/rfc/rfc1688.txt- ../data/rfc/rfc1688.txt- ../data/rfc/rfc1688.txt- -- ../data/rfc/rfc7862.txt- ../data/rfc/rfc7862.txt- size The logical file size of the file. ../data/rfc/rfc7862.txt- ../data/rfc/rfc7862.txt- space_used The size in bytes that the file occupies on disk. ../data/rfc/rfc7862.txt- ../data/rfc/rfc7862.txt: While these attributes are sufficient for space accounting in ../data/rfc/rfc7862.txt- traditional file systems, they prove to be inadequate in modern file ../data/rfc/rfc7862.txt- systems that support block-sharing. In such file systems, multiple ../data/rfc/rfc7862.txt- inodes (the metadata portion of the file system object) can point to ../data/rfc/rfc7862.txt- a single block with a block reference count to guard against ../data/rfc/rfc7862.txt- premature freeing. Having a way to tell the number of blocks that -- ../data/rfc/rfc2702.txt- 3.2 The Fundamental Problem of Traffic Engineering Over MPLS . 9 ../data/rfc/rfc2702.txt- 4.0 Augmented Capabilities for Traffic Engineering Over MPLS . 10 ../data/rfc/rfc2702.txt- 5.0 Traffic Trunk Attributes and Characteristics ........... 10 ../data/rfc/rfc2702.txt- 5.1 Bidirectional Traffic Trunks ............................. 11 ../data/rfc/rfc2702.txt- 5.2 Basic Operations on Traffic Trunks ....................... 12 ../data/rfc/rfc2702.txt: 5.3 Accounting and Performance Monitoring .................... 12 ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt-Awduche, et al. Informational [Page 1] ../data/rfc/rfc2702.txt- -- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- The above are considered the basic operations on traffic trunks. ../data/rfc/rfc2702.txt- Additional operations are also possible such as policing and traffic ../data/rfc/rfc2702.txt- shaping. ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt:5.3 Accounting and Performance Monitoring ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt: Accounting and performance monitoring capabilities are very important ../data/rfc/rfc2702.txt- to the billing and traffic characterization functions. Performance ../data/rfc/rfc2702.txt: statistics obtained from accounting and performance monitoring ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt- ../data/rfc/rfc2702.txt-Awduche, et al. Informational [Page 12] -- ../data/rfc/rfc1272.txt- G. Ruth ../data/rfc/rfc1272.txt- BBN ../data/rfc/rfc1272.txt- November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: INTERNET ACCOUNTING: BACKGROUND ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Status of this Memo ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc1272.txt- not specify an Internet standard. Distribution of this memo is ../data/rfc/rfc1272.txt- unlimited. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-1. Statement of Purpose ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- This document provides background information for the "Internet ../data/rfc/rfc1272.txt: Accounting Architecture" and is the first of a three document set: ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Internet Accounting Background & Status (this document) ../data/rfc/rfc1272.txt: Internet Accounting Architecture (under construction) ../data/rfc/rfc1272.txt: Internet Accounting Meter Service (under construction) ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The focus at this time is on defining METER SERVICES and USAGE ../data/rfc/rfc1272.txt- REPORTING which provide basic semantics for measuring network ../data/rfc/rfc1272.txt- utilization, a syntax, and a data reporting protocol. The intent is ../data/rfc/rfc1272.txt- to produce a set of standards that is of practical use for early ../data/rfc/rfc1272.txt: experimentation with usage reporting as an internet accounting ../data/rfc/rfc1272.txt- mechanism. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The architecture should be expandable as additional experience is ../data/rfc/rfc1272.txt: gained. The short-term Internet Accounting solution is intended to ../data/rfc/rfc1272.txt- merge with OSI and Autonomous Network Research Group (ANRG) efforts ../data/rfc/rfc1272.txt- and be superseded by those efforts in the long term. The OSI ../data/rfc/rfc1272.txt: accounting working groups are currently defining meter syntax and ../data/rfc/rfc1272.txt- reporting protocols. The ANRG research group is currently ../data/rfc/rfc1272.txt: researching economic models and accounting tools for the Internet ../data/rfc/rfc1272.txt- environment. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Internet Accounting as described here does not wrestle with the ../data/rfc/rfc1272.txt- applications of usage reporting, such as monitoring and enforcing ../data/rfc/rfc1272.txt- network policy; nor does it recommend approaches to billing or tackle ../data/rfc/rfc1272.txt- such thorny issues as who pays for packet retransmission. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- This document provides background and tutorial information on issues ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 1] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- surrounding the architecture, or in a sense, an explanation of ../data/rfc/rfc1272.txt: choices made in the Internet Accounting Architecture. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-2. Goals for a Usage Reporting Architecture ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: We have adopted the accounting framework and terminology used by OSI ../data/rfc/rfc1272.txt- (ISO 7498-4 OSI Reference Model Part 4: Management Framework). This ../data/rfc/rfc1272.txt: framework defines a generalized accounting management activity which ../data/rfc/rfc1272.txt- includes calculations, usage reporting to users and providers and ../data/rfc/rfc1272.txt- enforcing various limits on the use of resources. Our own ambitions ../data/rfc/rfc1272.txt- are considerably more modest in that we are defining an architecture ../data/rfc/rfc1272.txt- to be used over the short- term (until ISO and ANRG have final ../data/rfc/rfc1272.txt- pronouncement and standards) that is limited to network USAGE ../data/rfc/rfc1272.txt- REPORTING. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: The OSI accounting model defines three basic entities: ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- 1) the METER, which performs measurements and aggregates the ../data/rfc/rfc1272.txt- results of those measurements; ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- 2) the COLLECTOR, which is responsible for the integrity and -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 2] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- network usage. Reporting alone is not sufficient to ../data/rfc/rfc1272.txt- enforce compliance with policies, but reports can ../data/rfc/rfc1272.txt- indicate whether it is necessary to develop additional -- ../data/rfc/rfc1272.txt- This offers an additional source of computational load ../data/rfc/rfc1272.txt- and network traffic due to the counting operations, ../data/rfc/rfc1272.txt- managing the reporting system, collecting the reported ../data/rfc/rfc1272.txt- data, and storing the resulting counts. Overhead ../data/rfc/rfc1272.txt- increases with the accuracy and reliability of the ../data/rfc/rfc1272.txt: accounting data. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Post-processing overhead. ../data/rfc/rfc1272.txt- Resources are required to maintain the post-processing ../data/rfc/rfc1272.txt: tasks of maintaining the accounting database, generating ../data/rfc/rfc1272.txt- reports, and, if appropriate, distributing bills, ../data/rfc/rfc1272.txt- collecting revenue, servicing subscribers. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Security overhead. ../data/rfc/rfc1272.txt- The use of security mechanisms will increase the overall ../data/rfc/rfc1272.txt: cost of accounting. Since accounting collects detailed ../data/rfc/rfc1272.txt- information about subscriber behavior on the network and ../data/rfc/rfc1272.txt- since these counts may also represent a flow of money, it ../data/rfc/rfc1272.txt: is necessary to have mechanisms to protect accounting ../data/rfc/rfc1272.txt- information from unauthorized disclosure or manipulation. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The balance between cost and benefit is regulated by the GRANULARITY ../data/rfc/rfc1272.txt: of accounting information collected. This balance is policy- ../data/rfc/rfc1272.txt: dependent. To minimize costs and maximize benefit, accounting detail ../data/rfc/rfc1272.txt- is limited to the minimum amount to provide the necessary information ../data/rfc/rfc1272.txt- for the research and implementation of a particular policy. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 3] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-3.2. Network Policy and Usage Reporting ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Accounting requirements are driven by policy. Conversely, policy is ../data/rfc/rfc1272.txt- typically influenced by the available management/reporting tools and ../data/rfc/rfc1272.txt- their cost. This section is NOT a recommendation for billing ../data/rfc/rfc1272.txt- practices, but intended to provide additional background for ../data/rfc/rfc1272.txt- understanding the problems involved in implementing a simple, ../data/rfc/rfc1272.txt- adequate usage reporting system. -- ../data/rfc/rfc1272.txt- increasingly enmeshed (more cross-connections) and more diversified ../data/rfc/rfc1272.txt- (different charters and usage patterns). Each of these ../data/rfc/rfc1272.txt- administrations has different policies and by-laws about who may use ../data/rfc/rfc1272.txt- an individual network, who pays for it, and how the payment is ../data/rfc/rfc1272.txt- determined. Also, each administration balances the OVERHEAD costs of ../data/rfc/rfc1272.txt: accounting (metering, reporting, billing, collecting) against the ../data/rfc/rfc1272.txt- benefits of identifying usage and allocating costs. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Some members of the Internet community are concerned that the ../data/rfc/rfc1272.txt- introduction of usage reporting will encourage new billing policies ../data/rfc/rfc1272.txt- which are detrimental to the current Internet infrastructure (though -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 4] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o QUANTIFY NETWORK IMPROVEMENTS, ../data/rfc/rfc1272.txt- (measure user and vendor efficiency in how network ../data/rfc/rfc1272.txt- resources are consumed to provide end-user data transport ../data/rfc/rfc1272.txt- service) and ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o MEASURE COMPLIANCE WITH POLICY. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Accounting policies for network traffic already exist. But they are ../data/rfc/rfc1272.txt- usually based on network parameters which change seldom, if at all. ../data/rfc/rfc1272.txt- Such parameters require little monitoring (the line speed of a ../data/rfc/rfc1272.txt- physical connection, e.g.,Ethernet, 9600 baud, FDDI). The connection ../data/rfc/rfc1272.txt- to the network is then charged to the subscriber as a FLAT-FEE ../data/rfc/rfc1272.txt- regardless of the amount of traffic passed across the connection and -- ../data/rfc/rfc1272.txt- Predictable monthly charges. No overhead costs for ../data/rfc/rfc1272.txt- counting packets and preparing usage-based reports. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o TECHNICAL: ../data/rfc/rfc1272.txt- Easing the sharing of resources. Eliminating the ../data/rfc/rfc1272.txt: headaches of needing another layer of accounting in proxy ../data/rfc/rfc1272.txt- servers which associate their usage with their clients'. ../data/rfc/rfc1272.txt- Examples of proxy servers which generate network traffic ../data/rfc/rfc1272.txt- on behalf of the actual user or subscriber are mail ../data/rfc/rfc1272.txt- daemons, network file servers, and print spoolers. ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- In other cases USAGE-SENSITIVE charges may be preferred or required ../data/rfc/rfc1272.txt- by a local administration's policy. Government regulations or the ../data/rfc/rfc1272.txt- wishes of subscribers with low or intermittent traffic patterns may ../data/rfc/rfc1272.txt- force the issue (note: FLAT FEES are beneficial for heavy network ../data/rfc/rfc1272.txt- users. USAGE SENSITVE charges generally benefit the low-volume ../data/rfc/rfc1272.txt: user). Where usage-sensitive accounting is used, cost ceilings and ../data/rfc/rfc1272.txt- floors may still be established by static parameters, such as "pipe ../data/rfc/rfc1272.txt- size" for fixed connections or "connection time" for dial-up ../data/rfc/rfc1272.txt- connection, to satisfy the need for some predictability. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 5] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Different billing schemes may be employed depending on network ../data/rfc/rfc1272.txt- measures of distance. For example, local network traffic may be ../data/rfc/rfc1272.txt- flat-rate and remote internet traffic may be usage-based, analogous -- ../data/rfc/rfc1272.txt- telephone companies. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The ANRG is independently investigating policy models and ../data/rfc/rfc1272.txt- infrastructure economics for billing and cost recovery. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:3.3. The Nature of Usage Accounting ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Although the exact requirements for internet usage accounting will ../data/rfc/rfc1272.txt- vary from one network administration to the next and will depend on ../data/rfc/rfc1272.txt- policies and cost trade-offs, it is possible to characterize the ../data/rfc/rfc1272.txt- problem in some broad terms and thereby bound it. Rather than try to ../data/rfc/rfc1272.txt- solve the problem in exhaustive generality (providing for every ../data/rfc/rfc1272.txt: imaginable set of accounting requirements), some assumptions about ../data/rfc/rfc1272.txt: usage accounting are posited in order to make the problem tractable ../data/rfc/rfc1272.txt- and to render implementations feasible. Since these assumptions form ../data/rfc/rfc1272.txt- the basis for our architectural and design work, it is important to ../data/rfc/rfc1272.txt- make them explicit from the outset and hold them up to the scrutiny ../data/rfc/rfc1272.txt- of the Internet community. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:3.3.1. A Model for Internet Accounting ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- We begin with the assumption that there is a "network administrator" ../data/rfc/rfc1272.txt: or "network administration" to whom internet accounting is of ../data/rfc/rfc1272.txt- interest. He "owns" and operates some subset of the internet (one or ../data/rfc/rfc1272.txt- more connected networks)that may be called his "administrative ../data/rfc/rfc1272.txt- domain". This administrative domain has well defined boundaries. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The network administrator is interested in 1) traffic within his ../data/rfc/rfc1272.txt- boundaries and 2) traffic crossing his boundaries. Within his ../data/rfc/rfc1272.txt- boundaries he may be interested in end-system to end-system ../data/rfc/rfc1272.txt: accounting or accounting at coarser granularities (e.g., department ../data/rfc/rfc1272.txt- to department). ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 6] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: The network administrator is usually not interested in accounting for ../data/rfc/rfc1272.txt- end-systems outside his administrative domain; his primary concern is ../data/rfc/rfc1272.txt: accounting to the level of other ADJACENT (directly connected) ../data/rfc/rfc1272.txt- administrative domains. Consider the viewpoint of the administrator ../data/rfc/rfc1272.txt- for domain X of the internet. The idea is that he will send each ../data/rfc/rfc1272.txt- adjacent administrative domain a bill (or other statement of ../data/rfc/rfc1272.txt: accounting) for its use of his resources and it will send him a bill ../data/rfc/rfc1272.txt- for his use of its resources. When he receives an aggregate bill ../data/rfc/rfc1272.txt- from Network A, if he wishes to allocate the charges to end users or ../data/rfc/rfc1272.txt- subsystems within his domain, it is HIS responsibility to collect ../data/rfc/rfc1272.txt: accounting data about how they used the resources of Network A. If ../data/rfc/rfc1272.txt- the "user" is in fact another administrative domain, B, (on whose ../data/rfc/rfc1272.txt- behalf X was using A's resources) the administrator for X just sends ../data/rfc/rfc1272.txt- his counterpart in B a bill for the part of X's bill attributable to ../data/rfc/rfc1272.txt- B's usage. If B was passing traffic for C, them B bills C for the ../data/rfc/rfc1272.txt- appropriate portion X's charges, and so on, until the charges ../data/rfc/rfc1272.txt- percolate back to the original end user, say G. Thus, the ../data/rfc/rfc1272.txt- administrator for X does not have to account for G's usage; he only ../data/rfc/rfc1272.txt- has to account for the usage of the administrative domains directly ../data/rfc/rfc1272.txt- adjacent to himself. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: This paradigm of recursive accounting may, of course, be used WITHIN ../data/rfc/rfc1272.txt- an administrative domain that is (logically) comprised of sub- ../data/rfc/rfc1272.txt- administrative domains. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The discussion of the preceding paragraphs applies to a general mesh ../data/rfc/rfc1272.txt- topology, in which any Internet constituent domain may act as a ../data/rfc/rfc1272.txt- service provider for any connected domain. Although the Internet ../data/rfc/rfc1272.txt- topology is in fact such a mesh, there is a general hierarchy to its ../data/rfc/rfc1272.txt- structure and hierarchical routing (when implemented) will make it ../data/rfc/rfc1272.txt- logically hierarchical as far as traffic flow is concerned. This ../data/rfc/rfc1272.txt: logical hierarchy permits a simplification of the usage accounting ../data/rfc/rfc1272.txt- perspective. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- At the bottom of the service hierarchy a service-consuming host sits ../data/rfc/rfc1272.txt- on one of many "stub" networks. These are interconnected into an ../data/rfc/rfc1272.txt- enterprise-wide extended LAN, which in turn receives Internet -- ../data/rfc/rfc1272.txt- Regional backbones receive national transport services from national ../data/rfc/rfc1272.txt- backbones such as NSFnet, Alternet, PSInet, CERFnet, NSInet, or ../data/rfc/rfc1272.txt- Nordunet. In this scheme each level in the hierarchy has a ../data/rfc/rfc1272.txt- constituency, a group for which usage reporting is germane, in the ../data/rfc/rfc1272.txt- level underneath it. In the case of the NSFnet the natural ../data/rfc/rfc1272.txt: constituency, for accounting purposes at least, is the regional nets ../data/rfc/rfc1272.txt- (MIDnet, SURAnet,...). For the regionals it will be their member ../data/rfc/rfc1272.txt- institutions; for the institutions, their stub networks; and for the ../data/rfc/rfc1272.txt- stubs, their individual hosts. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 7] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-3.3.2. Implications of the Model ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The significance of the model sketched above is that Internet ../data/rfc/rfc1272.txt: accounting must be able to support accounting for adjacent ../data/rfc/rfc1272.txt: (intermediate) systems, as well as end-system accounting. Adjacent ../data/rfc/rfc1272.txt: system accounting information cannot be derived from end-system ../data/rfc/rfc1272.txt: accounting (even if complete end-system accounting were feasible) ../data/rfc/rfc1272.txt- because traffic from an end-system may reach the administrative ../data/rfc/rfc1272.txt- domain of interest through different adjacent domains, and it is the ../data/rfc/rfc1272.txt- adjacent domain through which it passes that is of interest. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: The need to support accounting for adjacent intermediate systems ../data/rfc/rfc1272.txt: means that internet accounting will require information not present ../data/rfc/rfc1272.txt- in internet protocol headers (these headers contain source and ../data/rfc/rfc1272.txt- destination addresses of end-systems only). This information may ../data/rfc/rfc1272.txt- come from lower layer protocols (network or link layer) or from ../data/rfc/rfc1272.txt- configuration information for boundary components (e.g., "what system ../data/rfc/rfc1272.txt- is connected to port 5 of this IP router"). -- ../data/rfc/rfc1272.txt- (domains)). The assignment of packets to flows may be done by ../data/rfc/rfc1272.txt- executing a series of rules. Meters can reasonably be implemented in ../data/rfc/rfc1272.txt- any of three environments -- dedicated monitors, in routers or in ../data/rfc/rfc1272.txt- general-purpose systems. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Meter location is a critical decision in internet accounting. An ../data/rfc/rfc1272.txt- important criterion for selecting meter location is cost, i.e., ../data/rfc/rfc1272.txt: REDUCING ACCOUNTING OVERHEAD and MINIMIZING THE COST OF ../data/rfc/rfc1272.txt- IMPLEMENTATION. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: In the trade-off between overhead (cost of accounting) and detail, ../data/rfc/rfc1272.txt- ACCURACY and RELIABILITY play a decisive role. Full accuracy and ../data/rfc/rfc1272.txt: reliability for accounting purposes require that EVERY packet must be ../data/rfc/rfc1272.txt- examined. However, if the requirement for accuracy and reliability ../data/rfc/rfc1272.txt- is relaxed, statistical sampling may be more practical and ../data/rfc/rfc1272.txt: sufficiently accurate, and DETAILED ACCOUNTING is not required at ../data/rfc/rfc1272.txt- all. Accuracy and reliability requirements may be less stringent ../data/rfc/rfc1272.txt- when the purpose of usage-reporting is solely to understand network ../data/rfc/rfc1272.txt- behavior, for network design and performance tuning, or when usage ../data/rfc/rfc1272.txt- reporting is used to approximate cost allocations to users as a ../data/rfc/rfc1272.txt- percentage of total fees. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: Overhead costs are minimized by accounting at the coarsest acceptable ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 8] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- GRANULARITY, i.e., using the greatest amount of AGGREGATION possible ../data/rfc/rfc1272.txt: to limit the number of accounting records generated, their size, and ../data/rfc/rfc1272.txt- the frequency with which they are transmitted across the network or ../data/rfc/rfc1272.txt- otherwise stored. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The other cost factor lies in implementation. Implementation will ../data/rfc/rfc1272.txt- necessitate the development and introduction of hardware and software -- ../data/rfc/rfc1272.txt- administrative boundaries and data collected such that service ../data/rfc/rfc1272.txt- provider and consumer are able to reconcile their activities. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Routers (and/or bridges) are by definition and design placed ../data/rfc/rfc1272.txt- (topologically) at these boundaries and so it follows that the most ../data/rfc/rfc1272.txt: generally convenient place to position accounting meters is in or ../data/rfc/rfc1272.txt- near the router. But again this depends on the underlying transport. ../data/rfc/rfc1272.txt- Whenever the service-providing network is broadcast (e.g., bus- ../data/rfc/rfc1272.txt- based), not extended (i.e., without bridging or routing), then meter ../data/rfc/rfc1272.txt- placement is of no particular consequence. If one were generating ../data/rfc/rfc1272.txt- usage reports for a stub LAN, meters could reasonably be placed in a -- ../data/rfc/rfc1272.txt- are the ultimate source and sink of all traffic. Routers monitor all ../data/rfc/rfc1272.txt- traffic which passes IN or OUT of each network. Motivations for ../data/rfc/rfc1272.txt- selecting the routers as the metering points are: ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Minimization of cost and overhead. ../data/rfc/rfc1272.txt: (by concentrating the accounting function). Centralize ../data/rfc/rfc1272.txt- and minimize in terms of number of geographical or ../data/rfc/rfc1272.txt- administrative regions, number of protocols monitored, ../data/rfc/rfc1272.txt- and number of separate implementations modified. (Hosts ../data/rfc/rfc1272.txt- are too diverse and numerous for easy standardization. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 9] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Routers concentrate traffic and are more homogeneous.) ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Traffic control. -- ../data/rfc/rfc1272.txt- in meter status (e.g., exceeding a quota) would result in ../data/rfc/rfc1272.txt- an active influence on network traffic (the router starts ../data/rfc/rfc1272.txt- denying access). A passive measuring device cannot ../data/rfc/rfc1272.txt- control network access in response to detecting state. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: o Intermediate system accounting. ../data/rfc/rfc1272.txt: As discussed above, internet accounting includes both ../data/rfc/rfc1272.txt: end-system and intermediate system accounting. Hosts see ../data/rfc/rfc1272.txt- only end-system traffic; routers see both the end-systems ../data/rfc/rfc1272.txt- (internet source and destination) and the adjacent ../data/rfc/rfc1272.txt- intermediate systems. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Therefore, meters should be placed at: -- ../data/rfc/rfc1272.txt- o administrative boundaries ../data/rfc/rfc1272.txt- only for measuring inter-domain traffic; ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o stub networks ../data/rfc/rfc1272.txt- for measuring intra-domain traffic. For intra-domain ../data/rfc/rfc1272.txt: traffic, the requirement for performing accounting at ../data/rfc/rfc1272.txt- almost every router is a disincentive for implementing a ../data/rfc/rfc1272.txt- usage-based charging policy. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-4.2. Meter Types ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Four possible types of metering technology are: ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Network monitors: ../data/rfc/rfc1272.txt- These measure only traffic WITHIN a single network. They ../data/rfc/rfc1272.txt: include LAN monitors, X.25 call accounting systems and ../data/rfc/rfc1272.txt- traffic monitors in bridges. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o Line monitors: ../data/rfc/rfc1272.txt- These count packets flowing across a circuit. They would ../data/rfc/rfc1272.txt- be placed on inter-router trunks and on router ports. -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 10] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-4.3. Meter Structure ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- While topology argues in favor of meters in routers, granularity and ../data/rfc/rfc1272.txt- security favor dedicated monitors. The GRANULARITY of the ../data/rfc/rfc1272.txt- accountable entity (and its attributes) affects the amount of ../data/rfc/rfc1272.txt: overhead incurred for accounting. Each entity/attribute/reporting ../data/rfc/rfc1272.txt- interval combination is a separate meter. Each individual meter ../data/rfc/rfc1272.txt- takes up local memory and requires additional memory or network ../data/rfc/rfc1272.txt- resources when the meter reports to the application. Memory is a ../data/rfc/rfc1272.txt- limited resource, and there are cost implications to expanding memory ../data/rfc/rfc1272.txt- significantly or increasing the frequency of reporting. The number -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ENTITY: Entities range across the spectrum from the coarsest ../data/rfc/rfc1272.txt- granularity, PORT (a local view with a unique designation for the ../data/rfc/rfc1272.txt- subscriber port through which packets enter and exit "my" ../data/rfc/rfc1272.txt- network) through NETWORK and HOST to USER (not defined here). ../data/rfc/rfc1272.txt: The port is the minimum granularity of accounting. HOST is the ../data/rfc/rfc1272.txt- finest granularity defined here. Where verification is required, ../data/rfc/rfc1272.txt: a network should be able to perform accounting at the granularity ../data/rfc/rfc1272.txt- its subscribers use. Hosts are ultimately responsible for ../data/rfc/rfc1272.txt- identifying the end user, since only the hosts have unambiguous ../data/rfc/rfc1272.txt- access to user identification. This information could be shared ../data/rfc/rfc1272.txt- with the network, but it is the host's responsibility to do so, ../data/rfc/rfc1272.txt- and there is no mechanism in place at this time (e.g., an IP -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 11] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- categorization of packets. The finest granularity would be to ../data/rfc/rfc1272.txt- maintain state information about the higher-levels protocols or ../data/rfc/rfc1272.txt- type of service being used by communicating processes across the -- ../data/rfc/rfc1272.txt- packet counts and byte counts. They may also be time stamps - ../data/rfc/rfc1272.txt- start time and stop time, or reasons for starting or stopping ../data/rfc/rfc1272.txt- reporting. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- REPORTING INTERVAL: At the very finest level of granularity, ../data/rfc/rfc1272.txt: each data packet might generate a separate accounting record. To ../data/rfc/rfc1272.txt- report traffic at this level of detail would require ../data/rfc/rfc1272.txt: approximately one packet of accounting information for every data ../data/rfc/rfc1272.txt- packet sent. The reporting interval is then zero and no memory ../data/rfc/rfc1272.txt- will be needed for flow record storage. For a non-zero reporting ../data/rfc/rfc1272.txt- interval flow records must be maintained in memory. Storage for ../data/rfc/rfc1272.txt- stale (old, infrequent) flows may be recycled when their data has ../data/rfc/rfc1272.txt- been reported. As the reporting interval increases, more and ../data/rfc/rfc1272.txt- more stale records accumulate. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The feasibility of a particular group of granularities varies ../data/rfc/rfc1272.txt- with the PERFORMANCE characteristics of the network (link speed, ../data/rfc/rfc1272.txt- link bandwidth, router processing speed, router memory), as well ../data/rfc/rfc1272.txt: as the COST of accounting balanced against the requirement for ../data/rfc/rfc1272.txt- DETAIL. Since technological advances can quickly obsolete ../data/rfc/rfc1272.txt- current technical limitations, and since the policy structure and ../data/rfc/rfc1272.txt- economics of the Internet are in flux, meters will be defined ../data/rfc/rfc1272.txt- with VARYING GRANULARITY which is regulated according to the ../data/rfc/rfc1272.txt- traffic requirements of the individual network or administration -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 12] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Meters can generate large, unstructured amounts of information ../data/rfc/rfc1272.txt- and the essential collection issue revolves around mapping ../data/rfc/rfc1272.txt- collection activities into an SNMP framework (or, to the extent -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- o local and remote collection control ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The prime security concern is preserving the confidentiality of usage ../data/rfc/rfc1272.txt- data. (See ISO 7498 Part 2, "Security Architecture," for security ../data/rfc/rfc1272.txt: terminology used herein.) Given that accounting data are sensitive, ../data/rfc/rfc1272.txt- the collector should be able (or may be required) to provide ../data/rfc/rfc1272.txt: confidentiality for accounting data at the point of collection, ../data/rfc/rfc1272.txt- through transmission and up to the point where the data is delivered. ../data/rfc/rfc1272.txt- The delivery function may also require authentication of the origin ../data/rfc/rfc1272.txt- and destination and provision for connection integrity (if ../data/rfc/rfc1272.txt- connections are utilized). Other security services (e.g., measures ../data/rfc/rfc1272.txt- to counter denial of service attacks) are not deemed necessary for ../data/rfc/rfc1272.txt: internet accounting at this time. It is assumed that security ../data/rfc/rfc1272.txt- services can be provided by SNMP and its mechanisms. (This will ../data/rfc/rfc1272.txt- require further investigation.) ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- In order to have an accurate monitoring system, reliable delivery of ../data/rfc/rfc1272.txt- data should be assured through one or more of: -- ../data/rfc/rfc1272.txt- There is a place for both application polling and meter traps within ../data/rfc/rfc1272.txt- this scheme, but there are significant trade-offs associated with ../data/rfc/rfc1272.txt- each. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Polling means that the collection point has some control over when ../data/rfc/rfc1272.txt: accounting data is sent, so that not all meters flood the collector ../data/rfc/rfc1272.txt- at once. However, polling messages, particularly when structured ../data/rfc/rfc1272.txt- with SNMP's GET-NEXT operator, add considerable overhead to the ../data/rfc/rfc1272.txt- network. Meter traps are required in any case (whether or not ../data/rfc/rfc1272.txt- polling is the preferred collection method), so that a meter may rid ../data/rfc/rfc1272.txt- itself of data when its cache is full. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 13] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The fundamental collection trade-off will be between primary and ../data/rfc/rfc1272.txt- secondary storage at the meter, coupled with an efficient bulk- ../data/rfc/rfc1272.txt- transfer protocol, versus minimal storage at the meter and a -- ../data/rfc/rfc1272.txt- packets (e.g., in times of congestion when the router cannot handle ../data/rfc/rfc1272.txt- the offered load); it is presumed that higher level protocols (e.g., ../data/rfc/rfc1272.txt- TCP) will provide whatever reliable delivery service the user deems ../data/rfc/rfc1272.txt- necessary (by detecting non- delivery and retransmitting). ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: The question arises, therefore, whether an internet accounting system ../data/rfc/rfc1272.txt- should count all packets offered to a router (since each packet ../data/rfc/rfc1272.txt- offered consumes some router resources) or just those that are ../data/rfc/rfc1272.txt- finally passed by the router to a network (why should a user pay for ../data/rfc/rfc1272.txt- undelivered packets?) Since there are good arguments for either ../data/rfc/rfc1272.txt- position, we do not attempt to resolve this issue here. (It should ../data/rfc/rfc1272.txt- be noted, however, that SMDS has chosen to count on exit only.) ../data/rfc/rfc1272.txt: Rather, we require that an internet accounting should provide ability ../data/rfc/rfc1272.txt- for counting packets either way -- on entry to or on exit from a ../data/rfc/rfc1272.txt- router. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-5. Examples ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-5.1 A Single Segment LAN ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Consumers and providers on a single LAN service can utilize the same ../data/rfc/rfc1272.txt- set of data: the contribution of individual hosts to total network ../data/rfc/rfc1272.txt: load. A network accounting system measures flows between individual ../data/rfc/rfc1272.txt- host pairs. (On a broadcast LAN, e.g., an Ethernet, this can be ../data/rfc/rfc1272.txt- accomplished by a single meter placed anywhere on the LAN.) Using ../data/rfc/rfc1272.txt- this data, costs for the network management activity can be ../data/rfc/rfc1272.txt- apportioned to individual hosts or the departments that own/manage ../data/rfc/rfc1272.txt- the hosts. -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 14] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-5.2 An Extended (Campus or Facility-Wide) LAN ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- 128.252.100.X 128.252.150.X 128.253.220.X -- ../data/rfc/rfc1272.txt- individual hosts on adjacent subnets are aggregated into a single ../data/rfc/rfc1272.txt- flow that measures activity between subnets. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- The service consumers, or subnets, might in turn want to keep track ../data/rfc/rfc1272.txt- of the communications between individual hosts that use the services ../data/rfc/rfc1272.txt: of the backbone. An accounting system on the backbone could be ../data/rfc/rfc1272.txt- configured to monitor traffic among individual host pairs. ../data/rfc/rfc1272.txt: Alternately an accounting system on each individual subnet could keep ../data/rfc/rfc1272.txt- track of local and "non-local" traffic. The observed data of the two ../data/rfc/rfc1272.txt- sets of meters (one for the service provider and one for the service ../data/rfc/rfc1272.txt- consumers) should have reconcilable data. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 15] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-5.3 A Regional Network ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- 116.125 -- ../data/rfc/rfc1272.txt- 124.110 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- In this example we have a regional network consisting of a ring of ../data/rfc/rfc1272.txt- point-to-point links that interconnect a collection of campus-wide ../data/rfc/rfc1272.txt- LANs. Again service provider and consumer have differing interests ../data/rfc/rfc1272.txt: and needs for accounting data. The service provider, the regional ../data/rfc/rfc1272.txt- network, again will be interested in the contribution of each ../data/rfc/rfc1272.txt- individual network to the total traffic on the regional network. ../data/rfc/rfc1272.txt- This interest might extend to include measure of individual link ../data/rfc/rfc1272.txt- utilization, and not just total offered load to the network as a ../data/rfc/rfc1272.txt- whole. In this latter case the service provider will require that -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 16] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-5.4 A National Backbone ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- __________ -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 17] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- APPLICATIONS standards: Recommendations for storage, processing and ../data/rfc/rfc1272.txt- reporting are left out for the moment. Storage and processing of ../data/rfc/rfc1272.txt: accounting information is dependent on individual network policy. ../data/rfc/rfc1272.txt- Recommendations for standardizing billing schemes would be premature. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- QUOTAS are a form of closed loop feedback that represent an ../data/rfc/rfc1272.txt- interesting extension of usage reporting. But they will have to wait ../data/rfc/rfc1272.txt: until the basic accounting technology is reasonably defined and has ../data/rfc/rfc1272.txt- been the subject of a reasonable amount of experimentation. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: SESSION ACCOUNTING: Detailed auditing of individual sessions across ../data/rfc/rfc1272.txt- the internet (at level four or higher) will not be addressed by ../data/rfc/rfc1272.txt: internet accounting. Internet accounting deals only with measuring ../data/rfc/rfc1272.txt- traffic at the IP level. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt: APPLICATION LEVEL ACCOUNTING: Service hosts and proxy agents have to ../data/rfc/rfc1272.txt: do their own accounting for services, since the network cannot ../data/rfc/rfc1272.txt- distinguish on whose behalf they are acting. Alternately, TCP/UDP ../data/rfc/rfc1272.txt- port numbers could become an optional field in a meter, since the ../data/rfc/rfc1272.txt- conjunction of a pair of IP addresses and port numbers occurring at a ../data/rfc/rfc1272.txt- particular time uniquely identifies a pair of communicating ../data/rfc/rfc1272.txt- processes. -- ../data/rfc/rfc1272.txt- probably contain two parts - a subscriber identification and a user ../data/rfc/rfc1272.txt- sub-identification - to allow for the later introduction of quota ../data/rfc/rfc1272.txt- mechanisms which have both group and individual quotas. The ../data/rfc/rfc1272.txt- subscriber is the fiscally responsible entity, for example the ../data/rfc/rfc1272.txt- manager of a research group. In any case, routers must be able to ../data/rfc/rfc1272.txt: fall back to accounting by host, since there will most certainly be ../data/rfc/rfc1272.txt- hosts on the network which do not implement a new IP option in a ../data/rfc/rfc1272.txt- timely fashion. ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-7. References ../data/rfc/rfc1272.txt- -- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Mills, Hirsh, & Ruth [Page 18] ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt:RFC 1272 Internet Accounting: Background November 1991 ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt-Security Considerations ../data/rfc/rfc1272.txt- ../data/rfc/rfc1272.txt- Security issues are discussed in sections 2, 3 and 4. -- ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt-4.1. Settlement for Services ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt- When endpoints in two domains share real-time communications ../data/rfc/rfc4484.txt- services, sometimes there is a need for the domains to exchange ../data/rfc/rfc4484.txt: accounting and settlement information in real-time. The operators of ../data/rfc/rfc4484.txt- valuable resources (for example, Public Switched Telephone Network ../data/rfc/rfc4484.txt- (PSTN) trunking, conference bridges, or the like) in the called ../data/rfc/rfc4484.txt- domain may wish to settle with the calling domain (either with the ../data/rfc/rfc4484.txt: operators of the domain or a particular user), and some accounting ../data/rfc/rfc4484.txt- operations might need to complete before a call is terminated. For ../data/rfc/rfc4484.txt- example, a caller in one domain might want to access a conference ../data/rfc/rfc4484.txt- bridge in another domain, and the called domain might wish to settle ../data/rfc/rfc4484.txt- for the usage of the bridge with the calling domain. Or in a ../data/rfc/rfc4484.txt- wireless context, a roaming user might want to use services in a ../data/rfc/rfc4484.txt- visited network, and the visited network might need to understand how ../data/rfc/rfc4484.txt- to settle with the user's home network for these services. ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt- Assuming that the calling domain constitutes some sort of commercial ../data/rfc/rfc4484.txt: service capable of exchanging accounting information, the called ../data/rfc/rfc4484.txt- domain may want to verify that the remote user has a billable account ../data/rfc/rfc4484.txt- in good standing before allowing a remote user access to valuable ../data/rfc/rfc4484.txt- resources. Moreover, the called domain may need to discover the ../data/rfc/rfc4484.txt: network address of an accounting server and some basic information ../data/rfc/rfc4484.txt- about how to settle with it. ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt- An authorization assertion created by the calling domain could ../data/rfc/rfc4484.txt- provide the called domain with an assurance that a user's account can ../data/rfc/rfc4484.txt- settle for a particular service. In some cases, no further ../data/rfc/rfc4484.txt- information may be required to process a transaction, but if more ../data/rfc/rfc4484.txt: specific accounting data is needed, traits could also communicate the ../data/rfc/rfc4484.txt: network address of an accounting server, the settlement protocol that ../data/rfc/rfc4484.txt- should be used, and so on. ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt-4.2. Associating Gateways with Providers ../data/rfc/rfc4484.txt- ../data/rfc/rfc4484.txt- Imagine a case where a particular telephone service provider has -- ../data/rfc/rfc3479.txt- ../data/rfc/rfc3479.txt- Upon receipt of a Keepalive message with the FT Cork TLV and the FT ../data/rfc/rfc3479.txt- Protection TLV, an LSR SHOULD perform the following actions: ../data/rfc/rfc3479.txt- ../data/rfc/rfc3479.txt- - Process and secure any messages from the peer LSR that have ../data/rfc/rfc3479.txt: sequence numbers less than (accounting for wrap) that contained in ../data/rfc/rfc3479.txt- the FT Protection TLV on the Keepalive message. ../data/rfc/rfc3479.txt- ../data/rfc/rfc3479.txt- - Send a Keepalive message back to the peer containing the FT Cork ../data/rfc/rfc3479.txt- TLV and the FT ACK TLV specifying the FT ACK sequence number ../data/rfc/rfc3479.txt- equal to that in the original Keepalive message (i.e. ACKing all -- ../data/rfc/rfc770.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc770.txt- 72-150 110-226 Reserved ../data/rfc/rfc770.txt- 151 227 CHAOS Protocol ../data/rfc/rfc770.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc770.txt- 153 231 TIP Status Reporting ../data/rfc/rfc770.txt: 154 232 TIP Accounting ../data/rfc/rfc770.txt- 155 233 Internet Protocol (regular traffic) [44] ../data/rfc/rfc770.txt- 156-158 234-236 Internet Protocol (experimental traffic) [44] ../data/rfc/rfc770.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc770.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc770.txt- 196-255 304-377 Experimental Protocols -- ../data/rfc/rfc7360.txt- This document is an Experimental RFC. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- It contains one of several approaches to address known cryptographic ../data/rfc/rfc7360.txt- weaknesses of the RADIUS protocol, such as described in [RFC6614]. ../data/rfc/rfc7360.txt- This specification does not fulfill all recommendations for an ../data/rfc/rfc7360.txt: Authentication, Authorization, and Accounting (AAA) transport profile ../data/rfc/rfc7360.txt- as per [RFC3539]; however, unlike [RFC6614], it is based on UDP and ../data/rfc/rfc7360.txt- therefore does not have head-of-line blocking issues. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- -- ../data/rfc/rfc7360.txt- RADIUS/DTLS, and how it interacts with RADIUS/UDP. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt-3.1. DTLS Port and Packet Types ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- The default destination port number for RADIUS/DTLS is UDP/2083. ../data/rfc/rfc7360.txt: There are no separate ports for authentication, accounting, and ../data/rfc/rfc7360.txt- dynamic authorization changes. The source port is arbitrary. The ../data/rfc/rfc7360.txt- text in [RFC6614], Section 3.4, describes issues surrounding the use ../data/rfc/rfc7360.txt- of one port for multiple packet types. We recognize that ../data/rfc/rfc7360.txt- implementations may allow the use of RADIUS/DTLS over non-standard ../data/rfc/rfc7360.txt- ports. In that case, the references to UDP/2083 in this document -- ../data/rfc/rfc7360.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc7360.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc7360.txt- RFC 2865, June 2000. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc7360.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, ../data/rfc/rfc7360.txt- "Transport Layer Security (TLS) Session Resumption ../data/rfc/rfc7360.txt- without Server-Side State", RFC 5077, January 2008. ../data/rfc/rfc7360.txt- -- ../data/rfc/rfc7360.txt-11.2. Informative References ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, ../data/rfc/rfc7360.txt- April 1992. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc7360.txt- ../data/rfc/rfc7360.txt- [RFC4107] Bellovin, S. and R. Housley, "Guidelines for ../data/rfc/rfc7360.txt- Cryptographic Key Management", BCP 107, RFC 4107, June ../data/rfc/rfc7360.txt- 2005. ../data/rfc/rfc7360.txt- -- ../data/rfc/rfc6943.txt- o Authorization: a protocol might match a resource name against some ../data/rfc/rfc6943.txt- policy. For example, it might look up an access control list ../data/rfc/rfc6943.txt- (ACL) and then look up the security principal's identifier (or a ../data/rfc/rfc6943.txt- surrogate for it) in that ACL. ../data/rfc/rfc6943.txt- ../data/rfc/rfc6943.txt: o Accounting: a system might create an accounting record for a ../data/rfc/rfc6943.txt- security principal's identifier or resource name, and then might ../data/rfc/rfc6943.txt- later need to match a presented identifier to (for example) add ../data/rfc/rfc6943.txt- new filtering rules based on the records in order to stop an ../data/rfc/rfc6943.txt- attack. ../data/rfc/rfc6943.txt- -- ../data/rfc/rfc2848.txt- ../data/rfc/rfc2848.txt- Conversely, if a historical request is made on the disposition of a ../data/rfc/rfc2848.txt- service, this should be done within a short time after the service ../data/rfc/rfc2848.txt- has completed; the Executive System is unlikely to store the results ../data/rfc/rfc2848.txt- of service requests for long; these will have been processed as AMA ../data/rfc/rfc2848.txt: (Automatic Message Accounting) records quickly, after which the ../data/rfc/rfc2848.txt- Executive System has no reason to keep them, and so they may be ../data/rfc/rfc2848.txt- discarded. ../data/rfc/rfc2848.txt- ../data/rfc/rfc2848.txt- Where the PINT Gateway and the Executive System are intimately ../data/rfc/rfc2848.txt- linked, the Gateway can respond to status subscription requests that -- ../data/rfc/rfc1820.txt- 2. System installation, configuration and management ../data/rfc/rfc1820.txt- 2.1 How complex/easy is installation and configuration? Are ../data/rfc/rfc1820.txt- there any pitfalls that need attention? Can you configure ../data/rfc/rfc1820.txt- per set of users (i.e systemwide or LAN wide default ../data/rfc/rfc1820.txt- configuration) and/or per user? ../data/rfc/rfc1820.txt: 2.2 Are there facilities for logging and/or accounting? ../data/rfc/rfc1820.txt- 2.3 Does the UA generate correct RFC 822 headers for outgoing ../data/rfc/rfc1820.txt- messages: ../data/rfc/rfc1820.txt- From:, (and if necessary) Sender: ../data/rfc/rfc1820.txt- Date: ../data/rfc/rfc1820.txt- Message-id: -- ../data/rfc/rfc5812.txt- associated with a packet. The vertical axis between the CE and the ../data/rfc/rfc5812.txt- FE denotes the Fp reference point where bidirectional communication ../data/rfc/rfc5812.txt- between the CE and FE occurs: the CE-to-FE communication is for ../data/rfc/rfc5812.txt- configuration, control, and packet injection, while the FE-to-CE ../data/rfc/rfc5812.txt- communication is used for packet redirection to the control plane, ../data/rfc/rfc5812.txt: reporting of monitoring and accounting information, reporting of ../data/rfc/rfc5812.txt- errors, etc. Note that the interaction between the CE and the LFB is ../data/rfc/rfc5812.txt- only abstract and indirect. The result of such an interaction is for ../data/rfc/rfc5812.txt- the CE to manipulate the components of the LFB instances. ../data/rfc/rfc5812.txt- ../data/rfc/rfc5812.txt- An LFB can have one or more inputs. Each input takes a pair of a -- ../data/rfc/rfc1287.txt- (IDRP) does this. BGP could evolve to do this. The additional ../data/rfc/rfc1287.txt- facility needed is a global table that maps network numbers to ../data/rfc/rfc1287.txt- ADs. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- For several reasons (special routes and address conversion, as ../data/rfc/rfc1287.txt: well as accounting and resource allocation), we are moving from a ../data/rfc/rfc1287.txt- "stateless" gateway model, where only precomputed routes are ../data/rfc/rfc1287.txt- stored in the gateway, to a model where at least some of the ../data/rfc/rfc1287.txt- gateways have per-connection state. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- 2.2 Extended IP Address Formats -- ../data/rfc/rfc1287.txt- distinct methods should be used inside and outside ADs ../data/rfc/rfc1287.txt- and aggregates. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- Existing projects planned for DARTnet will help resolve several of ../data/rfc/rfc1287.txt- these issues: state in gateways, state setup, address mapping, ../data/rfc/rfc1287.txt: accounting and so on. Other experiments in the R&D community also ../data/rfc/rfc1287.txt- bear on this area. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt-3. MULTI-PROTOCOL ARCHITECTURE ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- Changing the Internet to support multiple protocol suites leads to -- ../data/rfc/rfc1287.txt- Resource guarantees of whatever flavor must hold across an ../data/rfc/rfc1287.txt- arbitrary end-to-end path, including multiple ADs. Hence, ../data/rfc/rfc1287.txt- any resource setup mechanism needs to mesh smoothly with the ../data/rfc/rfc1287.txt- path setup mechanism incorporated into IDPR. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt: o Accounting ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- The resource guarantee subsets ("classes") may be natural ../data/rfc/rfc1287.txt: units for accounting. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- 5.3 Proposed Actions ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- The actions called for here are further research on the technical ../data/rfc/rfc1287.txt- issues listed above, followed by development and standardization -- ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- Getting big: ../data/rfc/rfc1287.txt- User services, what technology for host and nets? ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- Divestiture of the Internet: ../data/rfc/rfc1287.txt: Accounting, controlling usage and fixing faults. ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- New services: ../data/rfc/rfc1287.txt- Video? Transactions? Distributed computing? ../data/rfc/rfc1287.txt- ../data/rfc/rfc1287.txt- Security: -- ../data/rfc/rfc672.txt- Preface: ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- This RFC reproduces most of a working document ../data/rfc/rfc672.txt- prepared during the design and implementation of the ../data/rfc/rfc672.txt- protocols for the TIP-TENEX integrated system for ../data/rfc/rfc672.txt: handling TIP accounting. Bernie Cosell (BBN-TIP) ../data/rfc/rfc672.txt- and Bob Thomas (BBN-TENEX) have contributed to ../data/rfc/rfc672.txt- various aspects of this work. The system has been ../data/rfc/rfc672.txt- partially operational for about a month on selected ../data/rfc/rfc672.txt- hosts. We feel that the techniques described here ../data/rfc/rfc672.txt: have wide applicability beyond TIP accounting. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Section I ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Protocols for a Multi-site Data Collection Facility -- ../data/rfc/rfc672.txt-problem deals with providing a highly reliable data collection ../data/rfc/rfc672.txt-facility, by supporting it at many sites throughout the network. In ../data/rfc/rfc672.txt-the second section of this document, we describe in detail a ../data/rfc/rfc672.txt-particular implementation of the protocol which handles the problem ../data/rfc/rfc672.txt-of utilizing multiple data collector processes for collecting ../data/rfc/rfc672.txt:accounting data generated by the network TIPs. This example also ../data/rfc/rfc672.txt-illustrates the specialization of hosts to perform parts of a ../data/rfc/rfc672.txt-computation they are best equipped to handle. The large network ../data/rfc/rfc672.txt:hosts (TENEX systems) perform the accounting function for the small ../data/rfc/rfc672.txt-network access TiPs. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- The situation to be discussed is the following: a data ../data/rfc/rfc672.txt-generating process needs to use a data collection service which is ../data/rfc/rfc672.txt-duplicately provided by processes on a number of network machines. -- ../data/rfc/rfc672.txt-expense of possible duplication. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- Thus, the nature of the problem will dictate which of the ../data/rfc/rfc672.txt-protocols is appropriate for a given situation. The next section ../data/rfc/rfc672.txt-deals in the specifics of an implement;tion of a data collection ../data/rfc/rfc672.txt:protocol to handle the problem of collecting TIP accounting data by ../data/rfc/rfc672.txt-using the TENEX systems for running the collection server processes. ../data/rfc/rfc672.txt:It is shown how the general protocol is optimized for the accounting ../data/rfc/rfc672.txt-data collection. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Section II ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt:Protocol for TIP-TENEX Accounting Server Information Exchange ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Overview of the Facility ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- -- ../data/rfc/rfc672.txt-an authentication data base. The user must then complete s login ../data/rfc/rfc672.txt-sequence in order to authenticate himself. If he is successful the ../data/rfc/rfc672.txt-RSEXEC will transmit his unique ID code to the TIP. Failure will ../data/rfc/rfc672.txt-cause the RSEXEC to close the connection and the TIP to hang up on ../data/rfc/rfc672.txt-the user. After the user is authenticated, the TIP will accumulate ../data/rfc/rfc672.txt:accounting data for the user session. The data includes a count of ../data/rfc/rfc672.txt-messages sent on behalf of the user, and the connect time for the ../data/rfc/rfc672.txt-user. From time to time the TIP will transmit intermediate ../data/rfc/rfc672.txt:accounting data to Accounting Server (ACTSER) processes scattered ../data/rfc/rfc672.txt:throughout the network. These accounting servers will maintain ../data/rfc/rfc672.txt:files containing intermediate raw accounting data. The raw ../data/rfc/rfc672.txt:accounting data will periodically be collected and sorted to produce ../data/rfc/rfc672.txt:an accounting data base. Providing a number of accounting servers ../data/rfc/rfc672.txt-reduces the possibility of being unable to find a repository for the ../data/rfc/rfc672.txt-intermediate data, which otherwise would be lost due to buffering ../data/rfc/rfc672.txt:limitations in the TiPs. The multitude of accounting servers can ../data/rfc/rfc672.txt-also serve to reduce the load on the individual hosts providing this ../data/rfc/rfc672.txt-facility. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- -5- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-The rest of this document details the protocol that has been ../data/rfc/rfc672.txt:developed to ensure delivery of TIP accounting data to one of the ../data/rfc/rfc672.txt:available accounting servers for storage in the intermediate ../data/rfc/rfc672.txt:accounting files. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Adapting the Protocol ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt:The TIP to Accounting Server data exchange uses a protocol that ../data/rfc/rfc672.txt-allows the TIP to select for data transmission one, some, or all ../data/rfc/rfc672.txt-server hosts either sequentially or in parallel, yet insures that ../data/rfc/rfc672.txt:the data that becomes part of the accounting file does not contain ../data/rfc/rfc672.txt-duplicate information. The protocol also minimizes the amount of ../data/rfc/rfc672.txt-data buffering that must be done by the limited capacity TiPs. The ../data/rfc/rfc672.txt-protocol is applicable to a wide class of data collection problems ../data/rfc/rfc672.txt-which use a number of data generators and collectors. The following ../data/rfc/rfc672.txt:describes how the protocol works for TIP accounting. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Each TIP is responsible for maintaining in its memory the cells ../data/rfc/rfc672.txt-indicating the connect time and the number of messages sent for each ../data/rfc/rfc672.txt-of its current users. These cells are incremented by the TIP for ../data/rfc/rfc672.txt-every quantum of connect time and message sent, as the case may be. ../data/rfc/rfc672.txt-This is the data generation phase. Periodically, the TIP will scan ../data/rfc/rfc672.txt-all its active counters, and along with each user ID code, pack the ../data/rfc/rfc672.txt-accumulated data into one network message (i.e. less than 8K bits). ../data/rfc/rfc672.txt:The TIP then transmits this data to a set of Accounting Server ../data/rfc/rfc672.txt-processes residing throughout the network. The data transfer is ../data/rfc/rfc672.txt:over a specially designated host-host link. The accounting servers ../data/rfc/rfc672.txt-utilize the raw network message facility of TENEX 1.32 in order to ../data/rfc/rfc672.txt-directly access that link. When an ACTSER receives a data message ../data/rfc/rfc672.txt-from a TIP, it buffers the data and replies by returning the entire ../data/rfc/rfc672.txt-message to the originating TIP. The TIP responds with a positive ../data/rfc/rfc672.txt-acknowledgement ("go ahead") to the first ACTSER which returns the -- ../data/rfc/rfc672.txt-all subsequent ACTSER data return messages for this series of ../data/rfc/rfc672.txt-transfers. If the TIP does not receive a reply from any ACTSER, it ../data/rfc/rfc672.txt-accumulates new data (i.e. the TIP has all the while been ../data/rfc/rfc672.txt-incrementing its local counters to reflect the increased connect ../data/rfc/rfc672.txt-time and message count; the current values will comprise new data ../data/rfc/rfc672.txt:transfers) and sends the new data to the Accounting Server ../data/rfc/rfc672.txt-processes. When an ACTSER receives a positive acknowledgement from ../data/rfc/rfc672.txt-a TIP (i.e. "go ahead"), it appends the appropriate parts of the ../data/rfc/rfc672.txt:buffered data to the locally maintained accounting information file. ../data/rfc/rfc672.txt-On receiving a negative acknowledgement from the TIP (i.e. ../data/rfc/rfc672.txt-"discard"), the ACTSER discards the data buffered for this TIP. In ../data/rfc/rfc672.txt--addition, when the TIP responds with a "go ahead" to the first ../data/rfc/rfc672.txt-ACTSER which has accepted the data (acknowledged by returning the ../data/rfc/rfc672.txt-data along with the "I've got it"), the TIP decrements the connect ../data/rfc/rfc672.txt-time and message counters for each user by the amount indicated in ../data/rfc/rfc672.txt-the data returned by the ACTSER. This data will already be ../data/rfc/rfc672.txt:accounted for in the intermediate accounting files. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-As an aid in determining which ACTSER replies are to current ../data/rfc/rfc672.txt-requests, and which are tardy replies to old requests, the TIP ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- -6- -- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-There are a number of points concerning the protocol that ../data/rfc/rfc672.txt-should be noted. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-1. The data generator (TIP) can send different (i.e. updated ../data/rfc/rfc672.txt:versions) data to different data collectors (accounting servers) as ../data/rfc/rfc672.txt-part of the same logical transmission sequence. This is possible ../data/rfc/rfc672.txt-because the TIP does not account for the data sent until it receives ../data/rfc/rfc672.txt-the acknowledgement of the data echo. This strategy relieves the ../data/rfc/rfc672.txt-TIP of any buffering in conjunction with re-transmission of data ../data/rfc/rfc672.txt-which hasn't been acknowledged. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt:2. A new data request to an accounting server from a TIP will ../data/rfc/rfc672.txt-also serve as a negative acknowledgement concerning any data already ../data/rfc/rfc672.txt-buffered by the ACTSER for that TIP, but not yet acknowledged. The ../data/rfc/rfc672.txt-old data will be discarded, and the new data will be buffered and ../data/rfc/rfc672.txt-echoed as an acknowledgement. This allows the TIP the option of not ../data/rfc/rfc672.txt-sending a negative acknowledgement when it is not convenient to do -- ../data/rfc/rfc672.txt-This is to prevent a slow acknowledgement to the old data from being ../data/rfc/rfc672.txt-accepted by the TIP, after the TIP has already sent the new data to ../data/rfc/rfc672.txt-the slow host. This caveat can be avoided if the TIP does not ../data/rfc/rfc672.txt-resend to a non-responding server within the time period that a ../data/rfc/rfc672.txt-message could possibly be stuck in the network, but could still be ../data/rfc/rfc672.txt:delivered. Ignoring this situation may result in some accounting ../data/rfc/rfc672.txt-data being counted twice. Because of the rule to keep old data when ../data/rfc/rfc672.txt-confronted with matching sequence numbers, on restarting after a ../data/rfc/rfc672.txt-crash, the TIP should send a "discard" message to all servers in ../data/rfc/rfc672.txt-order to clear any data which has been buffered for it prior to the ../data/rfc/rfc672.txt-crash. An alternative to this would be for the TIP to initialize ../data/rfc/rfc672.txt-its sequence number from a varying source such as time of day. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt:3. The accounting server similarly need not acknowledge receipt ../data/rfc/rfc672.txt-of data (by echoing) if it finds itself otherwise occupied. This ../data/rfc/rfc672.txt-will mean that the ACTSER is not buffering the data, and hence is ../data/rfc/rfc672.txt-not a candidate for entering the data into the file. However, the ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- -7- ../data/rfc/rfc672.txt-TIP may try this ACTSER at a later time (even with the same data), ../data/rfc/rfc672.txt-with no ill effects. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-4. Because of 2 and 3 above, the protocol is robust with respect ../data/rfc/rfc672.txt:to lost or garbled transmissions of TIP data requests and accounting ../data/rfc/rfc672.txt-server echo replies. That is, in the event of loss of such a ../data/rfc/rfc672.txt-message, a re-transmission will occur as the normal procedure. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-5. There is no synchronization problem with respect to the ../data/rfc/rfc672.txt-sequence number used for duplicate detection, since this number is ../data/rfc/rfc672.txt:maintained only at the TIP site. The accounting server merely ../data/rfc/rfc672.txt-echoes the sequence number it has received as part of the data. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-6. There are, however, some constraints on the size of the ../data/rfc/rfc672.txt-sequence number field. It must be large enough so that ALL traces ../data/rfc/rfc672.txt-of the previous use of a given sequence number are totally reMoved -- ../data/rfc/rfc672.txt-number field (16 bits), and by allowing sufficient time between ../data/rfc/rfc672.txt-instances of sending new data, we can effectively reduce the ../data/rfc/rfc672.txt-probability of such an error to zero. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-7. Since the data involved in this problem is the source of ../data/rfc/rfc672.txt:accounting information, care must be taken to avoid duplicate ../data/rfc/rfc672.txt-entries. This must be done at the expense of potentially losing ../data/rfc/rfc672.txt-data in certain instances. Other than the obvious TIP malfunction, ../data/rfc/rfc672.txt-there are two known ways of losing data. One is the situation where ../data/rfc/rfc672.txt:no accounting server responds to a TIP for an extended period of ../data/rfc/rfc672.txt-time causing the TIP counters to overflow (highly unlikely if there ../data/rfc/rfc672.txt:are sufficient Accounting Servers). In this case, the TIP can hold ../data/rfc/rfc672.txt-the counters at their maximum value until a server comes up, thereby ../data/rfc/rfc672.txt:keeping the lost accounting data at its minimum. The other ../data/rfc/rfc672.txt-situation results from adapting the protocol to our insistence on no ../data/rfc/rfc672.txt-duplicate data in the incremental files. We are vulnerable to data ../data/rfc/rfc672.txt-loss with no recourse from the time the server receives the "go ../data/rfc/rfc672.txt-ahead" to update the file with the buffered data (i.e. positive ../data/rfc/rfc672.txt-acknowledgement) until the time the update is completed and the file ../data/rfc/rfc672.txt:is closed. An accounting server crash during this period will cause ../data/rfc/rfc672.txt:that accounting data to be lost. In our initial implementation, we ../data/rfc/rfc672.txt-have slightly extended this period of vulnerability in order to save ../data/rfc/rfc672.txt-the TIP from having to buffer the acknowledged data for a short ../data/rfc/rfc672.txt-period of time. By updating TIP counters from the returned data in ../data/rfc/rfc672.txt-parallel with sending the "go ahead" acknowledgement, we relieve the ../data/rfc/rfc672.txt-TIP of the burden of buffering this data until the Request for Next ../data/rfc/rfc672.txt:Message (RFNM) from the accounting server IMP is received. This ../data/rfc/rfc672.txt-adds slightly to our period of vulnerability to malfunction, moving ../data/rfc/rfc672.txt-the beginning of the period from the point when the ACTSER host ../data/rfc/rfc672.txt-receives the "go ahead", back to the point when the TIP sends off ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- -8- -- ../data/rfc/rfc672.txt-acknowledgement before updating its counters. In such a case, if ../data/rfc/rfc672.txt-the RFNM does not come, the TIP can discard the buffered data and ../data/rfc/rfc672.txt-re-transmit new data to other servers. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-8. There is adequate protection against the entry of forged data ../data/rfc/rfc672.txt:into the intermediate accounting files. This is primarily due to ../data/rfc/rfc672.txt-the system enforced limited access to Host-Imp messages and ../data/rfc/rfc672.txt-Host-Host links. In addition, messages received on such designated ../data/rfc/rfc672.txt-limited access links can be easily verified as coming from a TIP. ../data/rfc/rfc672.txt-The IMP subnet appends the signature (address) of the sending host ../data/rfc/rfc672.txt:to all of its messages, so there can be no forging. The Accounting ../data/rfc/rfc672.txt-Server is in a position to check if the source of the message is in ../data/rfc/rfc672.txt-fact a TIP data generator. ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-Current Parameters of the Protocol ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt- ../data/rfc/rfc672.txt-In the initial implementation, the TIP sends its accumulated ../data/rfc/rfc672.txt:accounting data about once every half hour. If it gets no positive ../data/rfc/rfc672.txt-acknowledgement, it tries to send with greater frequency (about ../data/rfc/rfc672.txt-every 5 minutes) until it finally succeeds. It can then return to ../data/rfc/rfc672.txt-the normal waiting period. (A TIP user logout introduces an ../data/rfc/rfc672.txt-exception to this behavior. In order to re-use the TIP port and its ../data/rfc/rfc672.txt-associated counters as soon as possible, a user terminating his TIP ../data/rfc/rfc672.txt:session causes the accounting data to be sent immediately). ../data/rfc/rfc672.txt-initially, our implementation calls for each TIP to remember a ../data/rfc/rfc672.txt:"favored" accounting server. At the wait period expiration, the TIP ../data/rfc/rfc672.txt-will try to deposit the data at its "favored" site. If successful ../data/rfc/rfc672.txt-within a short timeout period, this site remains the favored site, ../data/rfc/rfc672.txt-and the wait interval is reset. If unsuccessful within the short ../data/rfc/rfc672.txt-timeout, the data can be sent to all servers*. The one replying ../data/rfc/rfc672.txt-first will update its file with the data and also become the -- ../data/rfc/rfc5982.txt- o Measurement system capacity: This consists of the bandwidth of the ../data/rfc/rfc5982.txt- management network, the storage capacity, and the performances of ../data/rfc/rfc5982.txt- the collecting devices and exporting devices. ../data/rfc/rfc5982.txt- ../data/rfc/rfc5982.txt- o Application requirements: Different applications, such as traffic ../data/rfc/rfc5982.txt: engineering, detecting traffic anomalies, and accounting, impose ../data/rfc/rfc5982.txt- different Flow Record granularities, and data accuracies. ../data/rfc/rfc5982.txt- ../data/rfc/rfc5982.txt- The sustained growth of IP traffic has been overwhelming the ../data/rfc/rfc5982.txt- capacities of measurement systems. Furthermore, a large variety of ../data/rfc/rfc5982.txt- applications (e.g., Quality-of-Service (QoS) measurement, traffic -- ../data/rfc/rfc2138.txt-1. Introduction ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2138.txt- users can create the need for significant administrative support. ../data/rfc/rfc2138.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2138.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2138.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2138.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2138.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2138.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2138.txt- -- ../data/rfc/rfc2138.txt- RADIUS Codes (decimal) are assigned as follows: ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- 1 Access-Request ../data/rfc/rfc2138.txt- 2 Access-Accept ../data/rfc/rfc2138.txt- 3 Access-Reject ../data/rfc/rfc2138.txt: 4 Accounting-Request ../data/rfc/rfc2138.txt: 5 Accounting-Response ../data/rfc/rfc2138.txt- 11 Access-Challenge ../data/rfc/rfc2138.txt- 12 Status-Server (experimental) ../data/rfc/rfc2138.txt- 13 Status-Client (experimental) ../data/rfc/rfc2138.txt- 255 Reserved ../data/rfc/rfc2138.txt- -- ../data/rfc/rfc2138.txt-Rigney, et. al. Standards Track [Page 10] ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt-RFC 2138 RADIUS April 1997 ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt: Codes 4 and 5 are covered in the RADIUS Accounting document [9], and ../data/rfc/rfc2138.txt- are not further mentioned here. Codes 12 and 13 are reserved for ../data/rfc/rfc2138.txt- possible use, but are not further mentioned here. ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt-Identifier ../data/rfc/rfc2138.txt- -- ../data/rfc/rfc2138.txt- In the section below on "Attributes" where the text refers to which ../data/rfc/rfc2138.txt- packets an attribute is allowed in, only packets with Codes 1, 2, 3 ../data/rfc/rfc2138.txt- and 11 and attributes defined in this document are covered in this ../data/rfc/rfc2138.txt- document. A summary table is provided at the end of the "Attributes" ../data/rfc/rfc2138.txt- section. To determine which Attributes are allowed in packets with ../data/rfc/rfc2138.txt: codes 4 and 5 refer to the RADIUS Accounting document [9]. ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt-4. Packet Types ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- The RADIUS Packet type is determined by the Code field in the first ../data/rfc/rfc2138.txt- octet of the Packet. -- ../data/rfc/rfc2138.txt- 35 Login-LAT-Node ../data/rfc/rfc2138.txt- 36 Login-LAT-Group ../data/rfc/rfc2138.txt- 37 Framed-AppleTalk-Link ../data/rfc/rfc2138.txt- 38 Framed-AppleTalk-Network ../data/rfc/rfc2138.txt- 39 Framed-AppleTalk-Zone ../data/rfc/rfc2138.txt: 40-59 (reserved for accounting) ../data/rfc/rfc2138.txt- 60 CHAP-Challenge ../data/rfc/rfc2138.txt- 61 NAS-Port-Type ../data/rfc/rfc2138.txt- 62 Port-Limit ../data/rfc/rfc2138.txt- 63 Login-LAT-Port ../data/rfc/rfc2138.txt- -- ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- Description ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- This Attribute is available to be sent by the server to the client ../data/rfc/rfc2138.txt- in an Access-Accept and should be sent unmodified by the client to ../data/rfc/rfc2138.txt: the accounting server as part of the Accounting-Request packet if ../data/rfc/rfc2138.txt: accounting is supported. No interpretation by the client should ../data/rfc/rfc2138.txt- be made. ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- -- ../data/rfc/rfc2138.txt- [8] Galvin, J., McCloghrie, K., and Davin, J., "SNMP Security ../data/rfc/rfc2138.txt- Protocols", RFC 1352, Trusted Information Systems, Inc., Hughes ../data/rfc/rfc2138.txt- LAN Systems, Inc., MIT Laboratory for Computer Science, July ../data/rfc/rfc2138.txt- 1992. ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt: [9] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt-Acknowledgments ../data/rfc/rfc2138.txt- ../data/rfc/rfc2138.txt- RADIUS was originally developed by Livingston Enterprises for their ../data/rfc/rfc2138.txt- PortMaster series of Network Access Servers. -- ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-3 Overview ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- Traffic Flow Measurement seeks to provide a well-defined method for ../data/rfc/rfc2720.txt- gathering traffic flow information from networks and internetworks. ../data/rfc/rfc2720.txt: The background for this is given in "Internet Accounting Background" ../data/rfc/rfc2720.txt- [ACT-BKG]. The Realtime Traffic Flow Measurement (rtfm) Working Group ../data/rfc/rfc2720.txt- has produced a measurement architecture to achieve this goal; this is ../data/rfc/rfc2720.txt- documented in "Traffic Flow Measurement: Architecture" [RTFM-ARC]. ../data/rfc/rfc2720.txt- The architecture defines three entities: ../data/rfc/rfc2720.txt- -- ../data/rfc/rfc2720.txt- - METER READERS, which collect traffic flow data from meters, and ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- - MANAGERS, which oversee the operation of meters and meter readers. ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- This memo defines the SNMP management information for a Traffic Flow ../data/rfc/rfc2720.txt: Meter (TFM). Work in this field was begun by the Internet Accounting ../data/rfc/rfc2720.txt- Working Group. It has been further developed and expanded by the ../data/rfc/rfc2720.txt- Realtime Traffic Flow Measurement Working Group. ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- -- ../data/rfc/rfc2720.txt- STATUS current ../data/rfc/rfc2720.txt- DESCRIPTION ../data/rfc/rfc2720.txt- "Session ID for this flow. Such an ID might be allocated ../data/rfc/rfc2720.txt- by a network access server to distinguish a series of sessions ../data/rfc/rfc2720.txt- between the same pair of addresses, which would otherwise ../data/rfc/rfc2720.txt: appear to be parts of the same accounting flow." ../data/rfc/rfc2720.txt- ::= { flowDataEntry 35 } ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-flowDataSourceClass OBJECT-TYPE ../data/rfc/rfc2720.txt- SYNTAX Integer32 (1..255) ../data/rfc/rfc2720.txt- MAX-ACCESS read-only -- ../data/rfc/rfc2720.txt- flowInactivityTimeout, flowActiveFlows, ../data/rfc/rfc2720.txt- flowMaxFlows, flowFloodMode } ../data/rfc/rfc2720.txt- STATUS deprecated ../data/rfc/rfc2720.txt- DESCRIPTION ../data/rfc/rfc2720.txt- "The control group defines objects which are used to control ../data/rfc/rfc2720.txt: an accounting meter." ../data/rfc/rfc2720.txt- ::= {flowMIBGroups 1 } ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-flowDataTableGroup OBJECT-GROUP ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- -- ../data/rfc/rfc2720.txt- flowInactivityTimeout, flowActiveFlows, ../data/rfc/rfc2720.txt- flowMaxFlows, flowFloodMode } ../data/rfc/rfc2720.txt- STATUS current ../data/rfc/rfc2720.txt- DESCRIPTION ../data/rfc/rfc2720.txt- "The control group defines objects which are used to control ../data/rfc/rfc2720.txt: an accounting meter. It replaces the earlier version of ../data/rfc/rfc2720.txt- flowControlGroup above (now deprecated)." ../data/rfc/rfc2720.txt- ::= {flowMIBGroups 9 } ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-flowMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc2720.txt- STATUS current -- ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-8 Acknowledgements ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- An early draft of this document was produced under the auspices of ../data/rfc/rfc2720.txt: the IETF's Accounting Working Group with assistance from the SNMP ../data/rfc/rfc2720.txt- Working Group and the Security Area Advisory Group. Particular ../data/rfc/rfc2720.txt- thanks are due to Jim Barnes, Sig Handelman and Stephen Stibler for ../data/rfc/rfc2720.txt- their support and their assistance with checking early versions of ../data/rfc/rfc2720.txt- the MIB. ../data/rfc/rfc2720.txt- -- ../data/rfc/rfc2720.txt- this standard. Please address the information to the IETF Executive ../data/rfc/rfc2720.txt- Director. ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt-10 References ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt: [ACT-BKG] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2720.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc2720.txt- ../data/rfc/rfc2720.txt- [ASG-NBR] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, ../data/rfc/rfc2720.txt- RFC 1700, ISI, October 1994. ../data/rfc/rfc2720.txt- -- ../data/rfc/rfc7155.txt- Diameter Network Access Server Application ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-Abstract ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- This document describes the Diameter protocol application used for ../data/rfc/rfc7155.txt: Authentication, Authorization, and Accounting services in the Network ../data/rfc/rfc7155.txt- Access Server (NAS) environment; it obsoletes RFC 4005. When ../data/rfc/rfc7155.txt- combined with the Diameter Base protocol, Transport Profile, and ../data/rfc/rfc7155.txt- Extensible Authentication Protocol specifications, this application ../data/rfc/rfc7155.txt- specification satisfies typical network access services requirements. ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- 1.1. Changes from RFC 4005 ......................................5 ../data/rfc/rfc7155.txt- 1.2. Terminology ................................................6 ../data/rfc/rfc7155.txt- 1.3. Requirements Language ......................................7 ../data/rfc/rfc7155.txt- 1.4. Advertising Application Support ............................8 ../data/rfc/rfc7155.txt- 1.5. Application Identification .................................8 ../data/rfc/rfc7155.txt: 1.6. Accounting Model ...........................................8 ../data/rfc/rfc7155.txt- 2. NAS Calls, Ports, and Sessions ..................................8 ../data/rfc/rfc7155.txt- 2.1. Diameter Session Establishment .............................9 ../data/rfc/rfc7155.txt- 2.2. Diameter Session Reauthentication or Reauthorization .......9 ../data/rfc/rfc7155.txt- 2.3. Diameter Session Termination ..............................10 ../data/rfc/rfc7155.txt- 3. Diameter NAS Application Messages ..............................11 -- ../data/rfc/rfc7155.txt- 3.4. Re-Auth-Answer (RAA) Command ..............................16 ../data/rfc/rfc7155.txt- 3.5. Session-Termination-Request (STR) Command .................17 ../data/rfc/rfc7155.txt- 3.6. Session-Termination-Answer (STA) Command ..................17 ../data/rfc/rfc7155.txt- 3.7. Abort-Session-Request (ASR) Command .......................18 ../data/rfc/rfc7155.txt- 3.8. Abort-Session-Answer (ASA) Command ........................19 ../data/rfc/rfc7155.txt: 3.9. Accounting-Request (ACR) Command ..........................20 ../data/rfc/rfc7155.txt: 3.10. Accounting-Answer (ACA) Command ..........................22 ../data/rfc/rfc7155.txt- 4. Diameter NAS Application AVPs ..................................23 ../data/rfc/rfc7155.txt- 4.1. Derived AVP Data Formats ..................................23 ../data/rfc/rfc7155.txt- 4.1.1. QoSFilterRule ......................................23 ../data/rfc/rfc7155.txt- 4.2. NAS Session AVPs ..........................................24 ../data/rfc/rfc7155.txt- 4.2.1. Call and Session Information .......................24 -- ../data/rfc/rfc7155.txt- 4.5.7. Tunnel-Private-Group-Id AVP ........................48 ../data/rfc/rfc7155.txt- 4.5.8. Tunnel-Assignment-Id AVP ...........................48 ../data/rfc/rfc7155.txt- 4.5.9. Tunnel-Preference AVP ..............................50 ../data/rfc/rfc7155.txt- 4.5.10. Tunnel-Client-Auth-Id AVP .........................50 ../data/rfc/rfc7155.txt- 4.5.11. Tunnel-Server-Auth-Id AVP .........................50 ../data/rfc/rfc7155.txt: 4.6. NAS Accounting AVPs .......................................51 ../data/rfc/rfc7155.txt: 4.6.1. Accounting-Input-Octets AVP ........................52 ../data/rfc/rfc7155.txt: 4.6.2. Accounting-Output-Octets AVP .......................52 ../data/rfc/rfc7155.txt: 4.6.3. Accounting-Input-Packets AVP .......................52 ../data/rfc/rfc7155.txt: 4.6.4. Accounting-Output-Packets AVP ......................53 ../data/rfc/rfc7155.txt- 4.6.5. Acct-Session-Time AVP ..............................53 ../data/rfc/rfc7155.txt- 4.6.6. Acct-Authentic AVP .................................53 ../data/rfc/rfc7155.txt: 4.6.7. Accounting-Auth-Method AVP .........................53 ../data/rfc/rfc7155.txt- 4.6.8. Acct-Delay-Time AVP ................................53 ../data/rfc/rfc7155.txt- 4.6.9. Acct-Link-Count AVP ................................54 ../data/rfc/rfc7155.txt- 4.6.10. Acct-Tunnel-Connection AVP ........................55 ../data/rfc/rfc7155.txt- 4.6.11. Acct-Tunnel-Packets-Lost AVP ......................55 ../data/rfc/rfc7155.txt- 5. AVP Occurrence Tables ..........................................55 ../data/rfc/rfc7155.txt- 5.1. AA-Request / AA-Answer AVP Table ..........................56 ../data/rfc/rfc7155.txt: 5.2. Accounting AVP Tables .....................................58 ../data/rfc/rfc7155.txt: 5.2.1. Framed Access Accounting AVP Table .................59 ../data/rfc/rfc7155.txt: 5.2.2. Non-Framed Access Accounting AVP Table .............61 ../data/rfc/rfc7155.txt- 6. Unicode Considerations .........................................62 ../data/rfc/rfc7155.txt- 7. IANA Considerations ............................................63 ../data/rfc/rfc7155.txt- 8. Security Considerations ........................................63 ../data/rfc/rfc7155.txt- 8.1. Authentication Considerations .............................63 ../data/rfc/rfc7155.txt- 8.2. AVP Considerations ........................................64 -- ../data/rfc/rfc7155.txt- A.2. RFC 4005 ...................................................69 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-1. Introduction ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- This document describes the Diameter protocol application used for ../data/rfc/rfc7155.txt: Authentication, Authorization, and Accounting in the Network Access ../data/rfc/rfc7155.txt- Server (NAS) environment. When combined with the Diameter Base ../data/rfc/rfc7155.txt- protocol [RFC6733], Transport Profile [RFC3539], and Extensible ../data/rfc/rfc7155.txt- Authentication Protocol (EAP) [RFC4072] specifications, this ../data/rfc/rfc7155.txt- specification satisfies the NAS-related requirements defined in ../data/rfc/rfc7155.txt- [RFC2989] and [RFC3169]. -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- First, this document describes the operation of a Diameter NAS ../data/rfc/rfc7155.txt- application. Then, it defines the Diameter message command codes. ../data/rfc/rfc7155.txt- The following sections list the AVPs used in these messages, grouped ../data/rfc/rfc7155.txt- by common usage. These are session identification, authentication, ../data/rfc/rfc7155.txt: authorization, tunneling, and accounting. The authorization AVPs are ../data/rfc/rfc7155.txt- further broken down by service type. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-1.1. Changes from RFC 4005 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- This document obsoletes [RFC4005] and is not backward compatible with -- ../data/rfc/rfc7155.txt- o All of the material regarding RADIUS/Diameter protocol ../data/rfc/rfc7155.txt- interactions has been removed; however, where AVPs are derived ../data/rfc/rfc7155.txt- from RADIUS Attributes, the range and format of those Attribute ../data/rfc/rfc7155.txt- values have been retained for ease of transition. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: o The Command Code Format (CCF) [RFC6733] for the Accounting-Request ../data/rfc/rfc7155.txt: and Accounting-Answer messages has been changed to explicitly ../data/rfc/rfc7155.txt- require the inclusion of the Acct-Application-Id AVP and exclude ../data/rfc/rfc7155.txt- the Vendor-Specific-Application-Id AVP. Normally, this type of ../data/rfc/rfc7155.txt- change would require the allocation of a new command code (see ../data/rfc/rfc7155.txt- Section 1.3.3 of [RFC6733]) and consequently, a new application- ../data/rfc/rfc7155.txt- id. However, the presence of an instance of the Acct-Application- ../data/rfc/rfc7155.txt- Id AVP was required in [RFC4005], as well: ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Request (ACR) message [BASE] is sent by the NAS ../data/rfc/rfc7155.txt- to report its session information to a target server ../data/rfc/rfc7155.txt- downstream. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Either the Acct-Application-Id or the Vendor-Specific- ../data/rfc/rfc7155.txt- Application-Id AVP MUST be present. If the Vendor-Specific- -- ../data/rfc/rfc7155.txt- longer be contained in the Vendor-Specific-Application-Id AVP). ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- o The lists of RADIUS attribute values have been deleted in favor of ../data/rfc/rfc7155.txt- references to the appropriate IANA registries. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: o The accounting model to be used is now specified (see ../data/rfc/rfc7155.txt- Section 1.6). ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- o Session-Termination-Request (Section 3.5) ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- o Abort-Session-Request (Section 3.7) ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:1.6. Accounting Model ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: It is RECOMMENDED that the coupled accounting model (RFC 6733, ../data/rfc/rfc7155.txt- Section 9.3) be used with this application; therefore, the value of ../data/rfc/rfc7155.txt: the Acct-Application-Id AVP in the Accounting-Request (Section 3.9) ../data/rfc/rfc7155.txt: and Accounting-Answer (Section 3.10) messages SHOULD be set to one ../data/rfc/rfc7155.txt- (1). ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-2. NAS Calls, Ports, and Sessions ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The arrival of a new call or service connection at a port of a -- ../data/rfc/rfc7155.txt- When the authentication or authorization exchange completes ../data/rfc/rfc7155.txt- successfully, the NAS application SHOULD start a session context. If ../data/rfc/rfc7155.txt- the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the ../data/rfc/rfc7155.txt- exchange continues until a success or error is returned. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: If accounting is active, the application MUST also send an Accounting ../data/rfc/rfc7155.txt: message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent ../data/rfc/rfc7155.txt- for a new session. If a session fails to start, the EVENT_RECORD ../data/rfc/rfc7155.txt- message is sent with the reason for the failure described. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: Note that the return of an unsupportable Accounting-Realtime-Required ../data/rfc/rfc7155.txt- value [RFC6733] would result in a failure to establish the session. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-2.2. Diameter Session Reauthentication or Reauthorization ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Diameter Base protocol allows users to be periodically -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 9] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: If accounting is active, every change of authentication or ../data/rfc/rfc7155.txt: authorization SHOULD generate an accounting message. If the NAS ../data/rfc/rfc7155.txt- service is a continuation of the prior user context, then an ../data/rfc/rfc7155.txt: Accounting-Record-Type of INTERIM_RECORD indicating the new session ../data/rfc/rfc7155.txt- attributes and cumulative status would be appropriate. If a new user ../data/rfc/rfc7155.txt- or a significant change in authorization is detected by the NAS, then ../data/rfc/rfc7155.txt- the service may send two messages of the types STOP_RECORD and ../data/rfc/rfc7155.txt: START_RECORD. Accounting may change the subsession identifiers ../data/rfc/rfc7155.txt- (Acct-Session-Id, or Acct-Sub-Session-Id) to indicate such ../data/rfc/rfc7155.txt- subsessions. A service may also use a different Session-Id value for ../data/rfc/rfc7155.txt: accounting (see Section 9.6 of [RFC6733]). ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- However, the Diameter Session-Id AVP value used for the initial ../data/rfc/rfc7155.txt- authorization exchange MUST be used to generate an STR message when ../data/rfc/rfc7155.txt- the session context is terminated. ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Furthermore, a NAS that receives an Abort-Session-Request (ASR) ../data/rfc/rfc7155.txt- [RFC6733] MUST issue an Abort-Session-Answer (ASA) if the session ../data/rfc/rfc7155.txt- identified is active and disconnect the PPP (or tunneling) session. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: If accounting is active, an Accounting STOP_RECORD message [RFC6733] ../data/rfc/rfc7155.txt- MUST be sent upon termination of the session context. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- More information on Diameter Session Termination can be found in ../data/rfc/rfc7155.txt- Sections 8.4 and 8.5 of [RFC6733]. ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- | Re-Auth-Answer | RAA | 258 | Section 3.4 | ../data/rfc/rfc7155.txt- | Session-Termination-Request | STR | 275 | Section 3.5 | ../data/rfc/rfc7155.txt- | Session-Termination-Answer | STA | 275 | Section 3.6 | ../data/rfc/rfc7155.txt- | Abort-Session-Request | ASR | 274 | Section 3.7 | ../data/rfc/rfc7155.txt- | Abort-Session-Answer | ASA | 274 | Section 3.8 | ../data/rfc/rfc7155.txt: | Accounting-Request | ACR | 271 | Section 3.9 | ../data/rfc/rfc7155.txt: | Accounting-Answer | ACA | 271 | Section 3.10 | ../data/rfc/rfc7155.txt- +-----------------------------------+---------+------+--------------+ ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Note that the message formats in the following subsections use the ../data/rfc/rfc7155.txt- standard Diameter Command Code Format ([RFC6733], Section 3.2). ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 19] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:3.9. Accounting-Request (ACR) Command ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The ACR message [RFC6733] is sent by the NAS to report its session ../data/rfc/rfc7155.txt- information to a target server downstream. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Application-Id AVP MUST be present. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The AVPs listed in the Diameter Base protocol specification [RFC6733] ../data/rfc/rfc7155.txt- MUST be assumed to be present, as appropriate. NAS service-specific ../data/rfc/rfc7155.txt: accounting AVPs SHOULD be present as described in Section 4.6 and the ../data/rfc/rfc7155.txt- rest of this specification. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Message Format ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- <AC-Request> ::= < Diameter Header: 271, REQ, PXY > ../data/rfc/rfc7155.txt- < Session-Id > ../data/rfc/rfc7155.txt- { Origin-Host } ../data/rfc/rfc7155.txt- { Origin-Realm } ../data/rfc/rfc7155.txt- { Destination-Realm } ../data/rfc/rfc7155.txt: { Accounting-Record-Type } ../data/rfc/rfc7155.txt: { Accounting-Record-Number } ../data/rfc/rfc7155.txt- { Acct-Application-Id } ../data/rfc/rfc7155.txt- [ User-Name ] ../data/rfc/rfc7155.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc7155.txt- [ Acct-Session-Id ] ../data/rfc/rfc7155.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc7155.txt- [ Origin-AAA-Protocol ] ../data/rfc/rfc7155.txt- [ Origin-State-Id ] ../data/rfc/rfc7155.txt- [ Destination-Host ] -- ../data/rfc/rfc7155.txt- [ NAS-Port-Id ] ../data/rfc/rfc7155.txt- [ NAS-Port-Type ] ../data/rfc/rfc7155.txt- * [ Class ] ../data/rfc/rfc7155.txt- [ Service-Type ] ../data/rfc/rfc7155.txt- [ Termination-Cause ] ../data/rfc/rfc7155.txt: [ Accounting-Input-Octets ] ../data/rfc/rfc7155.txt: [ Accounting-Input-Packets ] ../data/rfc/rfc7155.txt: [ Accounting-Output-Octets ] ../data/rfc/rfc7155.txt: [ Accounting-Output-Packets ] ../data/rfc/rfc7155.txt- [ Acct-Authentic ] ../data/rfc/rfc7155.txt: [ Accounting-Auth-Method ] ../data/rfc/rfc7155.txt- [ Acct-Link-Count ] ../data/rfc/rfc7155.txt- [ Acct-Session-Time ] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- [ Originating-Line-Info ] ../data/rfc/rfc7155.txt- [ Authorization-Lifetime ] ../data/rfc/rfc7155.txt- [ Session-Timeout ] ../data/rfc/rfc7155.txt- [ Idle-Timeout ] ../data/rfc/rfc7155.txt- [ Port-Limit ] ../data/rfc/rfc7155.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc7155.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc7155.txt- * [ Filter-Id ] ../data/rfc/rfc7155.txt- * [ NAS-Filter-Rule ] ../data/rfc/rfc7155.txt- * [ QoS-Filter-Rule ] ../data/rfc/rfc7155.txt- [ Framed-Appletalk-Link ] -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 21] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:3.10. Accounting-Answer (ACA) Command ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The ACA message [RFC6733] is used to acknowledge an Accounting- ../data/rfc/rfc7155.txt: Request command. The Accounting-Answer command contains the same ../data/rfc/rfc7155.txt- Session-Id as the Request. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Only the target Diameter server or home Diameter server SHOULD ../data/rfc/rfc7155.txt: respond with the Accounting-Answer command. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Application-Id AVP MUST be present. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The AVPs listed in the Diameter Base protocol specification [RFC6733] ../data/rfc/rfc7155.txt- MUST be assumed to be present, as appropriate. NAS service-specific ../data/rfc/rfc7155.txt: accounting AVPs SHOULD be present as described in Section 4.6 and the ../data/rfc/rfc7155.txt- rest of this specification. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Message Format ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- <AC-Answer> ::= < Diameter Header: 271, PXY > ../data/rfc/rfc7155.txt- < Session-Id > ../data/rfc/rfc7155.txt- { Result-Code } ../data/rfc/rfc7155.txt- { Origin-Host } ../data/rfc/rfc7155.txt- { Origin-Realm } ../data/rfc/rfc7155.txt: { Accounting-Record-Type } ../data/rfc/rfc7155.txt: { Accounting-Record-Number } ../data/rfc/rfc7155.txt- { Acct-Application-Id } ../data/rfc/rfc7155.txt- [ User-Name ] ../data/rfc/rfc7155.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc7155.txt- [ Acct-Session-Id ] ../data/rfc/rfc7155.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc7155.txt- [ Event-Timestamp ] ../data/rfc/rfc7155.txt- [ Error-Message ] ../data/rfc/rfc7155.txt- [ Error-Reporting-Host ] -- ../data/rfc/rfc7155.txt- [ NAS-Port ] ../data/rfc/rfc7155.txt- [ NAS-Port-Id ] ../data/rfc/rfc7155.txt- [ NAS-Port-Type ] ../data/rfc/rfc7155.txt- [ Service-Type ] ../data/rfc/rfc7155.txt- [ Termination-Cause ] ../data/rfc/rfc7155.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.2.7. Connect-Info AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent ../data/rfc/rfc7155.txt- in the AA-Request message or an ACR message with the value of the ../data/rfc/rfc7155.txt: Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, ../data/rfc/rfc7155.txt- it indicates the nature of the user's connection. The connection ../data/rfc/rfc7155.txt- speed SHOULD be included at the beginning of the first Connect-Info ../data/rfc/rfc7155.txt- AVP in the message. If the transmit and receive connection speeds ../data/rfc/rfc7155.txt- differ, both may be included in the first AVP with the transmit speed ../data/rfc/rfc7155.txt- listed first (the speed at which the NAS modem transmits), then a ../data/rfc/rfc7155.txt- slash (/), then the receive speed, and then other optional ../data/rfc/rfc7155.txt- information. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- For example: "28800 V42BIS/LAPM" or "52000/31200 V90" ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: If sent in an ACR message with the value of the Accounting-Record- ../data/rfc/rfc7155.txt- Type AVP set to STOP, this attribute may summarize statistics ../data/rfc/rfc7155.txt- relating to session quality. For example, in IEEE 802.11, the ../data/rfc/rfc7155.txt- Connect-Info AVP may contain information on the number of link layer ../data/rfc/rfc7155.txt- retransmissions. The exact format of this attribute is ../data/rfc/rfc7155.txt- implementation specific. -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.3. NAS Authentication AVPs ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- This section defines the AVPs necessary to carry the authentication ../data/rfc/rfc7155.txt- information in the Diameter protocol. The functionality defined here ../data/rfc/rfc7155.txt: provides a RADIUS-like Authentication, Authorization, and Accounting ../data/rfc/rfc7155.txt- service [RFC2865] over a more reliable and secure transport, as ../data/rfc/rfc7155.txt- defined in the Diameter Base protocol [RFC6733]. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The following table gives the possible flag values for the session ../data/rfc/rfc7155.txt- level AVPs. -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- Some NASes support compulsory tunnel services in which the incoming ../data/rfc/rfc7155.txt- connection data is conveyed by an encapsulation method to a gateway ../data/rfc/rfc7155.txt- elsewhere in the network. This is typically transparent to the ../data/rfc/rfc7155.txt- service user, and the tunnel characteristics may be described by the ../data/rfc/rfc7155.txt: remote Authentication, Authorization, and Accounting server, based on ../data/rfc/rfc7155.txt- the user's authorization information. Several tunnel characteristics ../data/rfc/rfc7155.txt- may be returned, and the NAS implementation may choose one. See ../data/rfc/rfc7155.txt- [RFC2868] and [RFC2867] for further information. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The following table gives the possible flag values for the session- -- ../data/rfc/rfc7155.txt- the hint in the corresponding response. This AVP SHOULD be included ../data/rfc/rfc7155.txt- in the corresponding ACR messages, in which case it indicates the ../data/rfc/rfc7155.txt- address from which the tunnel was initiated. This AVP, along with ../data/rfc/rfc7155.txt- the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs ../data/rfc/rfc7155.txt- ([RFC6733], Section 8.8), can be used to provide a globally unique ../data/rfc/rfc7155.txt: means to identify a tunnel for accounting and auditing purposes. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 ../data/rfc/rfc7155.txt- (1), then this string is either the fully qualified domain name ../data/rfc/rfc7155.txt- (FQDN) of the tunnel client machine or a "dotted-decimal" IP address. ../data/rfc/rfc7155.txt- Implementations MUST support the dotted-decimal format and SHOULD -- ../data/rfc/rfc7155.txt- This AVP SHOULD be included in the corresponding ACR messages, in ../data/rfc/rfc7155.txt- which case it indicates the address from which the tunnel was ../data/rfc/rfc7155.txt- initiated. This AVP, along with the Tunnel-Client-Endpoint ../data/rfc/rfc7155.txt- (Section 4.5.4) and Session-Id AVP ([RFC6733], Section 8.8), can be ../data/rfc/rfc7155.txt- used to provide a globally unique means to identify a tunnel for ../data/rfc/rfc7155.txt: accounting and auditing purposes. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- If Tunnel-Medium-Type is IPv4 (1), then this string is either the ../data/rfc/rfc7155.txt- fully qualified domain name (FQDN) of the tunnel server machine, or a ../data/rfc/rfc7155.txt- "dotted-decimal" IP address. Implementations MUST support the ../data/rfc/rfc7155.txt- dotted-decimal format and SHOULD support the FQDN format for IP -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- This attribute MAY be included in authorization responses. The ../data/rfc/rfc7155.txt- tunnel initiator receiving this attribute MAY choose to ignore it and ../data/rfc/rfc7155.txt- to assign the session to an arbitrary multiplexed or non-multiplexed ../data/rfc/rfc7155.txt- tunnel between the desired endpoints. This AVP SHOULD also be ../data/rfc/rfc7155.txt: included in the Accounting-Request messages pertaining to the ../data/rfc/rfc7155.txt- tunneled session. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it ../data/rfc/rfc7155.txt- should assign a session to a tunnel in the following manner: ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- honor the hint in the corresponding response. This AVP MUST be ../data/rfc/rfc7155.txt- present in the authorization response if an authentication name other ../data/rfc/rfc7155.txt- than the default is desired. This AVP SHOULD be included in the ACR ../data/rfc/rfc7155.txt- messages pertaining to the tunneled session. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6. NAS Accounting AVPs ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: Applications implementing this specification use Diameter Accounting ../data/rfc/rfc7155.txt- (as defined in [RFC6733]) and the AVPs in the following section. ../data/rfc/rfc7155.txt- Service-specific AVP usage is defined in the tables in Section 5. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: If accounting is active, Accounting Request (ACR) messages SHOULD be ../data/rfc/rfc7155.txt- sent after the completion of any Authentication or Authorization ../data/rfc/rfc7155.txt- transaction and at the end of a session. The value of the ../data/rfc/rfc7155.txt: Accounting-Record-Type AVP [RFC6733] indicates the type of event. ../data/rfc/rfc7155.txt- All other AVPs identify the session and provide additional ../data/rfc/rfc7155.txt- information relevant to the event. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The successful completion of the first Authentication or ../data/rfc/rfc7155.txt- Authorization transaction SHOULD cause a START_RECORD to be sent. If -- ../data/rfc/rfc7155.txt- | Rules | ../data/rfc/rfc7155.txt- |----+-----| ../data/rfc/rfc7155.txt- Section |MUST| MUST| ../data/rfc/rfc7155.txt- Attribute Name Defined | | NOT| ../data/rfc/rfc7155.txt- -----------------------------------------|----+-----| ../data/rfc/rfc7155.txt: Accounting-Input-Octets 4.6.1 | M | V | ../data/rfc/rfc7155.txt: Accounting-Output-Octets 4.6.2 | M | V | ../data/rfc/rfc7155.txt: Accounting-Input-Packets 4.6.3 | M | V | ../data/rfc/rfc7155.txt: Accounting-Output-Packets 4.6.4 | M | V | ../data/rfc/rfc7155.txt- Acct-Session-Time 4.6.5 | M | V | ../data/rfc/rfc7155.txt- Acct-Authentic 4.6.6 | M | V | ../data/rfc/rfc7155.txt: Accounting-Auth-Method 4.6.7 | M | V | ../data/rfc/rfc7155.txt- Acct-Delay-Time 4.6.8 | M | V | ../data/rfc/rfc7155.txt- Acct-Link-Count 4.6.9 | M | V | ../data/rfc/rfc7155.txt- Acct-Tunnel-Connection 4.6.10 | M | V | ../data/rfc/rfc7155.txt- Acct-Tunnel-Packets-Lost 4.6.11 | M | V | ../data/rfc/rfc7155.txt- -----------------------------------------|----+-----| ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6.1. Accounting-Input-Octets AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 ../data/rfc/rfc7155.txt- and contains the number of octets received from the user. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- For NAS usage, this AVP indicates how many octets have been received ../data/rfc/rfc7155.txt- from the port in the course of this session. It can only be present ../data/rfc/rfc7155.txt: in ACR messages with an Accounting-Record-Type [RFC6733] of ../data/rfc/rfc7155.txt- INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6.2. Accounting-Output-Octets AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 ../data/rfc/rfc7155.txt- and contains the number of octets sent to the user. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- For NAS usage, this AVP indicates how many octets have been sent to ../data/rfc/rfc7155.txt- the port in the course of this session. It can only be present in ../data/rfc/rfc7155.txt: ACR messages with an Accounting-Record-Type of INTERIM_RECORD or ../data/rfc/rfc7155.txt- STOP_RECORD. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6.3. Accounting-Input-Packets AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and ../data/rfc/rfc7155.txt- contains the number of packets received from the user. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- For NAS usage, this AVP indicates how many packets have been received ../data/rfc/rfc7155.txt- from the port over the course of a session being provided to a Framed ../data/rfc/rfc7155.txt: User. It can only be present in ACR messages with an Accounting- ../data/rfc/rfc7155.txt- Record-Type of INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6.4. Accounting-Output-Packets AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 ../data/rfc/rfc7155.txt- and contains the number of IP packets sent to the user. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- For NAS usage, this AVP indicates how many packets have been sent to ../data/rfc/rfc7155.txt- the port over the course of a session being provided to a Framed ../data/rfc/rfc7155.txt: User. It can only be present in ACR messages with an Accounting- ../data/rfc/rfc7155.txt- Record-Type of INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.6.5. Acct-Session-Time AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and ../data/rfc/rfc7155.txt- indicates the length of the current session in seconds. It can only ../data/rfc/rfc7155.txt: be present in ACR messages with an Accounting-Record-Type of ../data/rfc/rfc7155.txt- INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.6.6. Acct-Authentic AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and ../data/rfc/rfc7155.txt- specifies how the user was authenticated. The supported values are ../data/rfc/rfc7155.txt- listed in [RADIUSAttrVals]. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:4.6.7. Accounting-Auth-Method AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. ../data/rfc/rfc7155.txt: A NAS MAY include this AVP in an Accounting-Request message to ../data/rfc/rfc7155.txt- indicate the method used to authenticate the user. (Note that this ../data/rfc/rfc7155.txt- AVP is semantically equivalent, and the supported values are ../data/rfc/rfc7155.txt- identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS ../data/rfc/rfc7155.txt- attribute [RFC2548]). ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.6.8. Acct-Delay-Time AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and ../data/rfc/rfc7155.txt- indicates the number of seconds the Diameter client has been trying ../data/rfc/rfc7155.txt: to send the Accounting-Request (ACR). The accounting server may ../data/rfc/rfc7155.txt- subtract this value from the time when the ACR arrives at the server ../data/rfc/rfc7155.txt- to calculate the approximate time of the event that caused the ACR to ../data/rfc/rfc7155.txt- be generated. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-4.6.9. Acct-Link-Count AVP ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and ../data/rfc/rfc7155.txt- indicates the total number of links that have been active (current or ../data/rfc/rfc7155.txt: closed) in a given multilink session at the time the accounting ../data/rfc/rfc7155.txt: record is generated. This AVP MAY be included in Accounting-Request ../data/rfc/rfc7155.txt- AVPs for any session that may be part of a multilink service. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The Acct-Link-Count AVP may be used to make it easier for an ../data/rfc/rfc7155.txt: accounting server to know when it has all the records for a given ../data/rfc/rfc7155.txt: multilink service. When the number of Accounting-Request AVPs ../data/rfc/rfc7155.txt: received with Accounting-Record-Type = STOP_RECORD and with the same ../data/rfc/rfc7155.txt- Acct-Multi-Session-Id and unique Session-Id AVPs equals the largest ../data/rfc/rfc7155.txt: value of Acct-Link-Count seen in those Accounting-Request AVPs, all ../data/rfc/rfc7155.txt: STOP_RECORD Accounting-Request AVPs for that multilink service have ../data/rfc/rfc7155.txt- been received. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: The following example, showing eight Accounting-Request AVPs, ../data/rfc/rfc7155.txt- illustrates how the Acct-Link-Count AVP is used. In the table below, ../data/rfc/rfc7155.txt- only the relevant AVPs are shown, although additional AVPs containing ../data/rfc/rfc7155.txt: accounting information will be present in the Accounting-Requests ../data/rfc/rfc7155.txt- AVPs. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 54] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: Acct-Multi- Accounting- Acct- ../data/rfc/rfc7155.txt- Session-Id Session-Id Record-Type Link-Count ../data/rfc/rfc7155.txt- -------------------------------------------------------- ../data/rfc/rfc7155.txt- "...10" "...10" START_RECORD 1 ../data/rfc/rfc7155.txt- "...10" "...11" START_RECORD 2 ../data/rfc/rfc7155.txt- "...10" "...11" STOP_RECORD 2 -- ../data/rfc/rfc7155.txt- Tunneling | 0+ | 0+ | ../data/rfc/rfc7155.txt- User-Name | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- User-Password | 0-1 | 0 | ../data/rfc/rfc7155.txt- ------------------------------|-----+-----+ ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:5.2. Accounting AVP Tables ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The tables in this section are used to show which AVPs defined in ../data/rfc/rfc7155.txt- this document are to be present and used in NAS application ../data/rfc/rfc7155.txt: Accounting messages. These AVPs are defined in this document, as ../data/rfc/rfc7155.txt- well as in [RFC6733] and [RFC2866]. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 58] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:5.2.1. Framed Access Accounting AVP Table ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The table in this section is used when the Service-Type AVP ../data/rfc/rfc7155.txt- (Section 4.4.1) specifies Framed Access. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- +-----------+ ../data/rfc/rfc7155.txt- | Command | ../data/rfc/rfc7155.txt- |-----+-----+ ../data/rfc/rfc7155.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc7155.txt- ---------------------------------------|-----+-----+ ../data/rfc/rfc7155.txt: Accounting-Auth-Method | 0-1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Input-Octets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Input-Packets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Output-Octets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Output-Packets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Record-Number | 0-1 | 0-1 | ../data/rfc/rfc7155.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc7155.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc7155.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Session-Id | 1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Authentic | 1 | 0 | ../data/rfc/rfc7155.txt- Acct-Delay-Time | 0-1 | 0 | -- ../data/rfc/rfc7155.txt-Zorn Standards Track [Page 60] ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt-RFC 7155 Diameter NASREQ April 2014 ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt:5.2.2. Non-Framed Access Accounting AVP Table ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- The table in this section is used when the Service-Type AVP ../data/rfc/rfc7155.txt- (Section 4.4.1) specifies Non-Framed Access. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- +-----------+ ../data/rfc/rfc7155.txt- | Command | ../data/rfc/rfc7155.txt- |-----+-----+ ../data/rfc/rfc7155.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc7155.txt- ---------------------------------------|-----+-----+ ../data/rfc/rfc7155.txt: Accounting-Auth-Method | 0-1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Input-Octets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Output-Octets | 1 | 0 | ../data/rfc/rfc7155.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc7155.txt: Accounting-Record-Number | 0-1 | 0-1 | ../data/rfc/rfc7155.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc7155.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Session-Id | 1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc7155.txt- Acct-Authentic | 1 | 0 | ../data/rfc/rfc7155.txt- Acct-Delay-Time | 0-1 | 0 | -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC3516] Nerenberg, L., "IMAP4 Binary Content Extension", RFC 3516, ../data/rfc/rfc7155.txt- April 2003. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc7155.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax ../data/rfc/rfc7155.txt- Specifications: ABNF", STD 68, RFC 5234, January 2008. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M., -- ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, ../data/rfc/rfc7155.txt- W., and G. Zorn, "Point-to-Point Tunneling Protocol", RFC ../data/rfc/rfc7155.txt- 2637, July 1999. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt: [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting ../data/rfc/rfc7155.txt- Modifications for Tunnel Protocol Support", RFC 2867, June ../data/rfc/rfc7155.txt- 2000. ../data/rfc/rfc7155.txt- ../data/rfc/rfc7155.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, ../data/rfc/rfc7155.txt- M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol -- ../data/rfc/rfc3717.txt- ../data/rfc/rfc3717.txt-RFC 3717 IP over Optical Networks: A Framework March 2004 ../data/rfc/rfc3717.txt- ../data/rfc/rfc3717.txt- ../data/rfc/rfc3717.txt- o Policies regarding the dynamic provisioning of optical paths ../data/rfc/rfc3717.txt: between routers. These include access control, accounting, and ../data/rfc/rfc3717.txt- security issues. ../data/rfc/rfc3717.txt- ../data/rfc/rfc3717.txt- The following interconnection models are then possible: ../data/rfc/rfc3717.txt- ../data/rfc/rfc3717.txt-5.1. Interconnection Models -- ../data/rfc/rfc3323.txt- target for unsolicited advertising, legal censure or other ../data/rfc/rfc3323.txt- undesirable consequences ../data/rfc/rfc3323.txt- ../data/rfc/rfc3323.txt- Users might want to withhold from participants in a session the ../data/rfc/rfc3323.txt- identity by which they are known to network intermediaries for the ../data/rfc/rfc3323.txt: purposes of billing and accounting ../data/rfc/rfc3323.txt- ../data/rfc/rfc3323.txt- When a user agent decides to send a request through a proxy server, ../data/rfc/rfc3323.txt- it may be difficult for the originator to anticipate the final ../data/rfc/rfc3323.txt- destination of that message. For that reason, users are advised not ../data/rfc/rfc3323.txt- to base their estimation of their privacy needs on where they expect -- ../data/rfc/rfc640.txt- information, such as status or help. 11g2 ../data/rfc/rfc640.txt- ../data/rfc/rfc640.txt- x2z Connections - Replies referring to the TELNET and ../data/rfc/rfc640.txt- data connections. 11g3 ../data/rfc/rfc640.txt- ../data/rfc/rfc640.txt: x3z Authentication and accounting - Replies for the logon ../data/rfc/rfc640.txt: process and accounting procedures. 11g4 ../data/rfc/rfc640.txt- ../data/rfc/rfc640.txt- x4z Unspecified as yet 11g5 ../data/rfc/rfc640.txt- ../data/rfc/rfc640.txt- x5z File system - These replies indicate the status of ../data/rfc/rfc640.txt- the Server file system vis-a-vis the requested -- ../data/rfc/rfc4670.txt-Request for Comments: 4670 Enterasys Networks ../data/rfc/rfc4670.txt-Obsoletes: 2620 August 2006 ../data/rfc/rfc4670.txt-Category: Informational ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: RADIUS Accounting Client MIB for IPv6 ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-Status of This Memo ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc4670.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc4670.txt- Copyright (C) The Internet Society (2006). ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-Abstract ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This memo defines a set of extensions that instrument RADIUS ../data/rfc/rfc4670.txt: accounting client functions. These extensions represent a portion of ../data/rfc/rfc4670.txt- the Management Information Base (MIB) for use with network management ../data/rfc/rfc4670.txt- protocols in the Internet community. Using these extensions, ../data/rfc/rfc4670.txt: IP-based management stations can manage RADIUS accounting clients. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This memo obsoletes RFC 2620 by deprecating the MIB table containing ../data/rfc/rfc4670.txt- IPv4-only address formats and defining a new table to add support for ../data/rfc/rfc4670.txt- version-neutral IP address formats. The remaining MIB objects from ../data/rfc/rfc4670.txt- RFC 2620 are carried forward into this document. This memo also adds -- ../data/rfc/rfc4670.txt-1. Introduction ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc4670.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc4670.txt- The objects defined within this memo relate to the Remote ../data/rfc/rfc4670.txt: Authentication Dial-In User Service (RADIUS) Accounting Client as ../data/rfc/rfc4670.txt- defined in RFC 2866 [RFC2866]. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-2. Terminology ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc4670.txt- RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 ../data/rfc/rfc4670.txt- [RFC2580]. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-4. Scope of Changes ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: This document obsoletes RFC 2620 [RFC2620], RADIUS Accounting Client ../data/rfc/rfc4670.txt- MIB, by deprecating the radiusAccServerTable table and adding a new ../data/rfc/rfc4670.txt- table, radiusAccServerExtTable, containing ../data/rfc/rfc4670.txt- radiusAccServerInetAddressType, radiusAccServerInetAddress, and ../data/rfc/rfc4670.txt- radiusAccClientServerInetPortNumber. The purpose of these added MIB ../data/rfc/rfc4670.txt- objects is to support version-neutral IP addressing formats. The -- ../data/rfc/rfc4670.txt- changed to "deprecated". The other approach, of having multiple ../data/rfc/rfc4670.txt- similar tables for different IP versions, is strongly discouraged.' ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-5. Structure of the MIB Module ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: The RADIUS accounting protocol, described in RFC 2866 [RFC2866], ../data/rfc/rfc4670.txt- distinguishes between the client function and the server function. ../data/rfc/rfc4670.txt: In RADIUS accounting, clients send Accounting-Requests, and servers ../data/rfc/rfc4670.txt: reply with Accounting-Responses. Typically, Network Access Server ../data/rfc/rfc4670.txt- (NAS) devices implement the client function, and thus would be ../data/rfc/rfc4670.txt: expected to implement the RADIUS accounting client MIB, while RADIUS ../data/rfc/rfc4670.txt: accounting servers implement the server function, and thus would be ../data/rfc/rfc4670.txt: expected to implement the RADIUS accounting server MIB. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: However, it is possible for a RADIUS accounting entity to perform ../data/rfc/rfc4670.txt- both client and server functions. For example, a RADIUS proxy may ../data/rfc/rfc4670.txt: act as a server to one or more RADIUS accounting clients, while ../data/rfc/rfc4670.txt: simultaneously acting as an accounting client to one or more ../data/rfc/rfc4670.txt: accounting servers. In such situations, it is expected that RADIUS ../data/rfc/rfc4670.txt- entities combining client and server functionality will support both ../data/rfc/rfc4670.txt- the client and server MIBs. The client MIB is defined in this ../data/rfc/rfc4670.txt- document, and the server MIB is defined in [RFC4671]. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This MIB module contains two scalars as well as a single table, the ../data/rfc/rfc4670.txt: RADIUS Accounting Server Table, which contains one row for each ../data/rfc/rfc4670.txt- RADIUS server with which the client shares a secret. Each entry in ../data/rfc/rfc4670.txt: the RADIUS Accounting Server Table includes fifteen columns ../data/rfc/rfc4670.txt- presenting a view of the activity of the RADIUS client. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001]. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- accurately be represented in both the new table and the ../data/rfc/rfc4670.txt- deprecated table. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- Managed entities SHOULD NOT instantiate row entries in the deprecated ../data/rfc/rfc4670.txt- table, containing IPv4-only address objects, when the RADIUS ../data/rfc/rfc4670.txt: accounting server address represented in such a table row is not an ../data/rfc/rfc4670.txt- IPv4 address. Managed entities SHOULD NOT return inaccurate values ../data/rfc/rfc4670.txt- of IP address or SNMP object access errors for IPv4-only address ../data/rfc/rfc4670.txt- objects in otherwise populated tables. When row entries exist in ../data/rfc/rfc4670.txt- both the deprecated IPv4-only table and the new IP-version-neutral ../data/rfc/rfc4670.txt: table that describe the same RADIUS accounting server, the row ../data/rfc/rfc4670.txt- indexes SHOULD be the same for the corresponding rows in each table, ../data/rfc/rfc4670.txt- to facilitate correlation of these related rows by management ../data/rfc/rfc4670.txt- applications. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-7. Definitions -- ../data/rfc/rfc4670.txt- Phone: +1 425 936 6605 ../data/rfc/rfc4670.txt- EMail: bernarda@microsoft.com" ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The MIB module for entities implementing the client ../data/rfc/rfc4670.txt- side of the Remote Authentication Dial-In User Service ../data/rfc/rfc4670.txt: (RADIUS) accounting protocol. Copyright (C) The ../data/rfc/rfc4670.txt- Internet Society (2006). This version of this MIB ../data/rfc/rfc4670.txt- module is part of RFC 4670; see the RFC itself for ../data/rfc/rfc4670.txt- full legal notices." ../data/rfc/rfc4670.txt- REVISION "200608210000Z" -- 21 August 2006 ../data/rfc/rfc4670.txt- DESCRIPTION -- ../data/rfc/rfc4670.txt- for version-neutral IP address formats. The remaining ../data/rfc/rfc4670.txt- MIB objects from RFC 2620 are carried forward into this ../data/rfc/rfc4670.txt- version." ../data/rfc/rfc4670.txt- REVISION "199906110000Z" -- 11 Jun 1999 ../data/rfc/rfc4670.txt- DESCRIPTION "Initial version as published in RFC 2620." ../data/rfc/rfc4670.txt: ::= { radiusAccounting 2 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusMIB OBJECT-IDENTITY ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The OID assigned to RADIUS MIB work by the IANA." ../data/rfc/rfc4670.txt- ::= { mib-2 67 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientMIBObjects OBJECT IDENTIFIER ../data/rfc/rfc4670.txt- ::= { radiusAccClientMIB 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClient OBJECT IDENTIFIER -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc4670.txt- received from unknown addresses." ../data/rfc/rfc4670.txt- ::= { radiusAccClient 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- radiusAccClientIdentifier OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX SnmpAdminString ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The NAS-Identifier of the RADIUS accounting client. ../data/rfc/rfc4670.txt- This is not necessarily the same as sysName in MIB ../data/rfc/rfc4670.txt- II." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2865 section 5.32" ../data/rfc/rfc4670.txt- ::= { radiusAccClient 2 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccServerTable OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX SEQUENCE OF RadiusAccServerEntry ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc4670.txt- servers with which the client shares a secret." ../data/rfc/rfc4670.txt- ::= { radiusAccClient 3 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccServerEntry OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX RadiusAccServerEntry ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc4670.txt: accounting server with which the client shares a ../data/rfc/rfc4670.txt- secret." ../data/rfc/rfc4670.txt- INDEX { radiusAccServerIndex } ../data/rfc/rfc4670.txt- ::= { radiusAccServerTable 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- RadiusAccServerEntry ::= SEQUENCE { -- ../data/rfc/rfc4670.txt- SYNTAX Integer32 (1..2147483647) ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "A number uniquely identifying each RADIUS ../data/rfc/rfc4670.txt: Accounting server with which this client ../data/rfc/rfc4670.txt- communicates." ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccServerAddress OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX IpAddress ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The IP address of the RADIUS accounting server ../data/rfc/rfc4670.txt- referred to in this table entry." ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 2 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientServerPortNumber OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX Integer32 (0..65535) -- ../data/rfc/rfc4670.txt- SYNTAX TimeTicks ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The time interval between the most recent ../data/rfc/rfc4670.txt: Accounting-Response and the Accounting-Request that ../data/rfc/rfc4670.txt: matched it from this RADIUS accounting server." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 4 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- Request/Response statistics ../data/rfc/rfc4670.txt- -- -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt- sent. This does not include retransmissions." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 5 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientRetransmissions OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt: retransmitted to this RADIUS accounting server. ../data/rfc/rfc4670.txt- Retransmissions include retries where the ../data/rfc/rfc4670.txt- Identifier and Acct-Delay have been updated, as ../data/rfc/rfc4670.txt- well as those in which they remain the same." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 6 } -- ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets received on the ../data/rfc/rfc4670.txt: accounting port from this server." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4.2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 7 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientMalformedResponses OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of malformed RADIUS Accounting-Response ../data/rfc/rfc4670.txt- packets received from this server. Malformed packets ../data/rfc/rfc4670.txt- include packets with an invalid length. Bad ../data/rfc/rfc4670.txt- authenticators and unknown types are not included as ../data/rfc/rfc4670.txt: malformed accounting responses." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-Nelson Informational [Page 9] -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Response ../data/rfc/rfc4670.txt- packets that contained invalid authenticators ../data/rfc/rfc4670.txt- received from this server." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 9 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- SYNTAX Gauge32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt- sent to this server that have not yet timed out or ../data/rfc/rfc4670.txt- received a response. This variable is incremented ../data/rfc/rfc4670.txt: when an Accounting-Request is sent and decremented ../data/rfc/rfc4670.txt: due to receipt of an Accounting-Response, a timeout, ../data/rfc/rfc4670.txt- or a retransmission." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 10 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientTimeouts OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "timeouts" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of accounting timeouts to this server. ../data/rfc/rfc4670.txt- After a timeout, the client may retry to the same ../data/rfc/rfc4670.txt- server, send to a different server, or give up. ../data/rfc/rfc4670.txt- A retry to the same server is counted as a ../data/rfc/rfc4670.txt- retransmit as well as a timeout. A send to a different ../data/rfc/rfc4670.txt: server is counted as an Accounting-Request as well as ../data/rfc/rfc4670.txt- a timeout." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 11 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientUnknownTypes OBJECT-TYPE -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets of unknown type that ../data/rfc/rfc4670.txt: were received from this server on the accounting port." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4" ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 12 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientPacketsDropped OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets that were received from ../data/rfc/rfc4670.txt: this server on the accounting port and dropped for some ../data/rfc/rfc4670.txt- other reason." ../data/rfc/rfc4670.txt- ::= { radiusAccServerEntry 13 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- New MIB objects added in this revision -- ../data/rfc/rfc4670.txt- radiusAccServerExtTable OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX SEQUENCE OF RadiusAccServerExtEntry ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc4670.txt- servers with which the client shares a secret." ../data/rfc/rfc4670.txt- ::= { radiusAccClient 4 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccServerExtEntry OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX RadiusAccServerExtEntry ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc4670.txt: accounting server with which the client shares a ../data/rfc/rfc4670.txt- secret." ../data/rfc/rfc4670.txt- INDEX { radiusAccServerExtIndex } ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtTable 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- RadiusAccServerExtEntry ::= SEQUENCE { -- ../data/rfc/rfc4670.txt- SYNTAX Integer32 (1..2147483647) ../data/rfc/rfc4670.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "A number uniquely identifying each RADIUS ../data/rfc/rfc4670.txt: Accounting server with which this client ../data/rfc/rfc4670.txt- communicates." ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccServerInetAddressType OBJECT-TYPE -- ../data/rfc/rfc4670.txt- radiusAccServerInetAddress OBJECT-TYPE ../data/rfc/rfc4670.txt- SYNTAX InetAddress ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The IP address of the RADIUS accounting ../data/rfc/rfc4670.txt- server referred to in this table entry, using ../data/rfc/rfc4670.txt- the version-neutral IP address format." ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 3 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientServerInetPortNumber OBJECT-TYPE -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006 ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- "The UDP port the client is using to send requests ../data/rfc/rfc4670.txt: to this accounting server. The value zero (0) is ../data/rfc/rfc4670.txt- invalid." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 4 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- SYNTAX TimeTicks ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The time interval between the most recent ../data/rfc/rfc4670.txt: Accounting-Response and the Accounting-Request that ../data/rfc/rfc4670.txt: matched it from this RADIUS accounting server." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 5 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- Request/Response statistics ../data/rfc/rfc4670.txt- -- -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt- sent. This does not include retransmissions. ../data/rfc/rfc4670.txt- This counter may experience a discontinuity when the ../data/rfc/rfc4670.txt: RADIUS Accounting Client module within the managed ../data/rfc/rfc4670.txt- entity is reinitialized, as indicated by the current ../data/rfc/rfc4670.txt- value of radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 6 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt: retransmitted to this RADIUS accounting server. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-Nelson Informational [Page 13] ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- Retransmissions include retries where the ../data/rfc/rfc4670.txt- Identifier and Acct-Delay have been updated, as ../data/rfc/rfc4670.txt- well as those in which they remain the same. ../data/rfc/rfc4670.txt- This counter may experience a discontinuity when the ../data/rfc/rfc4670.txt: RADIUS Accounting Client module within the managed ../data/rfc/rfc4670.txt- entity is reinitialized, as indicated by the current ../data/rfc/rfc4670.txt- value of radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 7 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets received on the ../data/rfc/rfc4670.txt: accounting port from this server. This counter ../data/rfc/rfc4670.txt- may experience a discontinuity when the RADIUS ../data/rfc/rfc4670.txt: Accounting Client module within the managed entity is ../data/rfc/rfc4670.txt- reinitialized, as indicated by the current value of ../data/rfc/rfc4670.txt- radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4.2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 8 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of malformed RADIUS Accounting-Response ../data/rfc/rfc4670.txt- packets received from this server. Malformed packets ../data/rfc/rfc4670.txt- include packets with an invalid length. Bad ../data/rfc/rfc4670.txt- authenticators and unknown types are not included as ../data/rfc/rfc4670.txt: malformed accounting responses. This counter may ../data/rfc/rfc4670.txt: experience a discontinuity when the RADIUS Accounting ../data/rfc/rfc4670.txt- Client module within the managed entity is ../data/rfc/rfc4670.txt- reinitialized, as indicated by the current ../data/rfc/rfc4670.txt- value of radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 9 } -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006 ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Response ../data/rfc/rfc4670.txt- packets that contained invalid authenticators ../data/rfc/rfc4670.txt- received from this server. This counter may ../data/rfc/rfc4670.txt- experience a discontinuity when the RADIUS ../data/rfc/rfc4670.txt: Accounting Client module within the managed ../data/rfc/rfc4670.txt- entity is reinitialized, as indicated by the ../data/rfc/rfc4670.txt- current value of ../data/rfc/rfc4670.txt- radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 10 } -- ../data/rfc/rfc4670.txt- SYNTAX Gauge32 ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4670.txt- sent to this server that have not yet timed out or ../data/rfc/rfc4670.txt- received a response. This variable is incremented ../data/rfc/rfc4670.txt: when an Accounting-Request is sent and decremented ../data/rfc/rfc4670.txt: due to receipt of an Accounting-Response, a timeout, ../data/rfc/rfc4670.txt- or a retransmission. This counter may experience a ../data/rfc/rfc4670.txt: discontinuity when the RADIUS Accounting Client module ../data/rfc/rfc4670.txt- within the managed entity is reinitialized, as ../data/rfc/rfc4670.txt- indicated by the current value of ../data/rfc/rfc4670.txt- radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 11 } -- ../data/rfc/rfc4670.txt- SYNTAX Counter32 ../data/rfc/rfc4670.txt- UNITS "timeouts" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The number of accounting timeouts to this server. ../data/rfc/rfc4670.txt- After a timeout, the client may retry to the same ../data/rfc/rfc4670.txt- server, send to a different server, or give up. ../data/rfc/rfc4670.txt- A retry to the same server is counted as a ../data/rfc/rfc4670.txt- retransmit as well as a timeout. A send to a different ../data/rfc/rfc4670.txt: server is counted as an Accounting-Request as well as ../data/rfc/rfc4670.txt- a timeout. This counter may experience a discontinuity ../data/rfc/rfc4670.txt: when the RADIUS Accounting Client module within the ../data/rfc/rfc4670.txt- managed entity is reinitialized, as indicated by the ../data/rfc/rfc4670.txt- current value of radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 2" ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets of unknown type that ../data/rfc/rfc4670.txt: were received from this server on the accounting port. ../data/rfc/rfc4670.txt- This counter may experience a discontinuity when the ../data/rfc/rfc4670.txt: RADIUS Accounting Client module within the managed ../data/rfc/rfc4670.txt- entity is reinitialized, as indicated by the current ../data/rfc/rfc4670.txt- value of radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- REFERENCE "RFC 2866 section 4" ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 13 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- UNITS "packets" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of RADIUS packets that were received from ../data/rfc/rfc4670.txt: this server on the accounting port and dropped for some ../data/rfc/rfc4670.txt- other reason. This counter may experience a ../data/rfc/rfc4670.txt: discontinuity when the RADIUS Accounting Client module ../data/rfc/rfc4670.txt- within the managed entity is reinitialized, as indicated ../data/rfc/rfc4670.txt- by the current value of ../data/rfc/rfc4670.txt- radiusAccClientCounterDiscontinuity." ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 14 } ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- UNITS "centiseconds" ../data/rfc/rfc4670.txt- MAX-ACCESS read-only ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The number of centiseconds since the last ../data/rfc/rfc4670.txt: discontinuity in the RADIUS Accounting Client ../data/rfc/rfc4670.txt- counters. A discontinuity may be the result of a ../data/rfc/rfc4670.txt: reinitialization of the RADIUS Accounting Client ../data/rfc/rfc4670.txt- module within the managed entity." ../data/rfc/rfc4670.txt- ::= { radiusAccServerExtEntry 15 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- -- units of conformance ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The compliance statement for accounting clients ../data/rfc/rfc4670.txt: implementing the RADIUS Accounting Client MIB. ../data/rfc/rfc4670.txt- Implementation of this module is for IPv4-only ../data/rfc/rfc4670.txt- entities, or for backwards compatibility use with ../data/rfc/rfc4670.txt- entities that support both IPv4 and IPv6." ../data/rfc/rfc4670.txt- MODULE -- this module ../data/rfc/rfc4670.txt- MANDATORY-GROUPS { radiusAccClientMIBGroup } -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientExtMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt: "The compliance statement for accounting ../data/rfc/rfc4670.txt: clients implementing the RADIUS Accounting ../data/rfc/rfc4670.txt- Client IPv6 Extensions MIB. Implementation of ../data/rfc/rfc4670.txt- this module is for entities that support IPv6, ../data/rfc/rfc4670.txt- or support IPv4 and IPv6." ../data/rfc/rfc4670.txt- MODULE -- this module ../data/rfc/rfc4670.txt- MANDATORY-GROUPS { radiusAccClientExtMIBGroup } -- ../data/rfc/rfc4670.txt- radiusAccClientPacketsDropped ../data/rfc/rfc4670.txt- } ../data/rfc/rfc4670.txt- STATUS deprecated ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The basic collection of objects providing management of ../data/rfc/rfc4670.txt: RADIUS Accounting Clients." ../data/rfc/rfc4670.txt- ::= { radiusAccClientMIBGroups 1 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAccClientExtMIBGroup OBJECT-GROUP ../data/rfc/rfc4670.txt- OBJECTS { radiusAccClientIdentifier, -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- } ../data/rfc/rfc4670.txt- STATUS current ../data/rfc/rfc4670.txt- DESCRIPTION ../data/rfc/rfc4670.txt- "The basic collection of objects providing management of ../data/rfc/rfc4670.txt: RADIUS Accounting Clients." ../data/rfc/rfc4670.txt- ::= { radiusAccClientMIBGroups 2 } ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- END ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- There are a number of managed objects in this MIB that may contain ../data/rfc/rfc4670.txt- sensitive information. These are: ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAcctServerIPAddress ../data/rfc/rfc4670.txt: This can be used to determine the address of the RADIUS accounting ../data/rfc/rfc4670.txt- server with which the client is communicating. This information ../data/rfc/rfc4670.txt: could be useful in mounting an attack on the accounting server. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAcctServerInetAddress ../data/rfc/rfc4670.txt: This can be used to determine the address of the RADIUS accounting ../data/rfc/rfc4670.txt- server with which the client is communicating. This information ../data/rfc/rfc4670.txt: could be useful in mounting an attack on the accounting server. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAcctClientServerPortNumber ../data/rfc/rfc4670.txt- This can be used to determine the port number on which the RADIUS ../data/rfc/rfc4670.txt: accounting client is sending. This information could be useful in ../data/rfc/rfc4670.txt: impersonating the client in order to send data to the accounting ../data/rfc/rfc4670.txt- server. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- radiusAcctClientServerInetPortNumber ../data/rfc/rfc4670.txt- This can be used to determine the port number on which the RADIUS ../data/rfc/rfc4670.txt: accounting client is sending. This information could be useful in ../data/rfc/rfc4670.txt: impersonating the client in order to send data to the accounting ../data/rfc/rfc4670.txt- server. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- It is thus important to control even GET access to these objects and ../data/rfc/rfc4670.txt- possibly to even encrypt the values of these object when sending them ../data/rfc/rfc4670.txt- over the network via SNMP. Not all versions of SNMP provide features -- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, ../data/rfc/rfc4670.txt- "Conformance Statements for SMIv2", STD 58, RFC 2580, ../data/rfc/rfc4670.txt- April 1999. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An ../data/rfc/rfc4670.txt- Architecture for Describing Simple Network Management ../data/rfc/rfc4670.txt- Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, ../data/rfc/rfc4670.txt- December 2002. -- ../data/rfc/rfc4670.txt-RFC 4670 RADIUS Acct Client MIB (IPv6) August 2006 ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt-9.2. Informative References ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", ../data/rfc/rfc4670.txt- RFC 2620, June 1999. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4670.txt- "Remote Authentication Dial In User Service (RADIUS)", RFC ../data/rfc/rfc4670.txt- 2865, June 2000. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, ../data/rfc/rfc4670.txt- "Introduction and Applicability Statements for Internet- ../data/rfc/rfc4670.txt- Standard Management Framework", RFC 3410, December 2002. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC ../data/rfc/rfc4670.txt- 4671, August 2006. ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- ../data/rfc/rfc4670.txt- -- ../data/rfc/rfc3423.txt-Request for Comments: 3423 E. Elkin ../data/rfc/rfc3423.txt-Category: Informational XACCT Technologies ../data/rfc/rfc3423.txt- November 2002 ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: XACCT's Common Reliable Accounting for Network Element (CRANE) ../data/rfc/rfc3423.txt- Protocol Specification Version 1.0 ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-Status of this Memo ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- This memo provides information for the Internet community. It does -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Copyright (C) The Internet Society (2002). All Rights Reserved. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-Abstract ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: This document defines the Common Reliable Accounting for Network ../data/rfc/rfc3423.txt- Element (CRANE) protocol that enables efficient and reliable delivery ../data/rfc/rfc3423.txt: of any data, mainly accounting data from Network Elements to any ../data/rfc/rfc3423.txt- systems, such as mediation systems and Business Support Systems ../data/rfc/rfc3423.txt- (BSS)/ Operations Support Systems (OSS). The protocol is developed ../data/rfc/rfc3423.txt: to address the critical needs for exporting high volume of accounting ../data/rfc/rfc3423.txt- data from NE's with efficient use of network, storage, and processing ../data/rfc/rfc3423.txt- resources. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- This document specifies the architecture of the protocol and the ../data/rfc/rfc3423.txt- message format, which MUST be supported by all CRANE protocol -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-1 Introduction ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Network Elements are often required to export usage information to ../data/rfc/rfc3423.txt- mediation and business support systems (BSS) to facilitate ../data/rfc/rfc3423.txt: accounting. Though there are several existing mechanisms for usage ../data/rfc/rfc3423.txt- information export, they are becoming inadequate to support the ../data/rfc/rfc3423.txt- evolving business requirements from service providers. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- For example, some of the export mechanisms are legacies of the Telco ../data/rfc/rfc3423.txt- world. Typically usage information is stored in Network Elements as -- ../data/rfc/rfc3423.txt- of limitations of RADIUS can be found in [3]. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- DIAMETER [2] is a new AAA protocol that retains the basic RADIUS ../data/rfc/rfc3423.txt- model, and eliminates several drawbacks in RADIUS. The current ../data/rfc/rfc3423.txt- DIAMETER protocol and its extensions focus on Internet and wireless ../data/rfc/rfc3423.txt: network access, and their support to accounting is closely associated ../data/rfc/rfc3423.txt- with authentication/authorization events. DIAMETER is intended to ../data/rfc/rfc3423.txt- solve many problems in the AAA area; by doing so, it does not ../data/rfc/rfc3423.txt- adequately address some critical issues such as efficiency and ../data/rfc/rfc3423.txt: performance in an accounting protocol. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- There are also SNMP based mechanisms that generally require a large ../data/rfc/rfc3423.txt- amount of processing and bandwidth resources. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Based on the above analysis, a critical need for a reliable, fast, ../data/rfc/rfc3423.txt: efficient and flexible accounting protocol exists. The XACCT's CRANE ../data/rfc/rfc3423.txt- protocol is designed to address these critical requirements. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- This document defines the CRANE protocol that enables efficient and ../data/rfc/rfc3423.txt: reliable delivery of any data, mainly accounting data from Network ../data/rfc/rfc3423.txt- Elements to any systems, such as mediation systems and BSS/OSS. The ../data/rfc/rfc3423.txt- protocol is developed to address the critical needs for exporting ../data/rfc/rfc3423.txt: high volume of accounting data from NE's with efficient use of ../data/rfc/rfc3423.txt- network, storage, and processing resources. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- This document specifies the architecture of the protocol and the ../data/rfc/rfc3423.txt- message format, which MUST be supported by all CRANE protocol ../data/rfc/rfc3423.txt- implementations. -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-1.2 Terminology ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- CRANE Protocol ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: CRANE stands for Common Reliable Accounting for Network Element. ../data/rfc/rfc3423.txt- The CRANE Protocol maybe referred as CRANE, or the Protocol in ../data/rfc/rfc3423.txt- this document. The CRANE Protocol is used at the interface(s) ../data/rfc/rfc3423.txt- between a CRANE client and one or multiple CRANE servers for the ../data/rfc/rfc3423.txt: purpose of delivering accounting data. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Client or CRANE Client ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A CRANE Client is an implementation on the data producing side of ../data/rfc/rfc3423.txt- the CRANE protocol. It is typically integrated with the network ../data/rfc/rfc3423.txt: element's software, enabling it to collect and send out accounting ../data/rfc/rfc3423.txt- data to a mediation/billing system using the protocol defined ../data/rfc/rfc3423.txt- herein. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Server or CRANE Server ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- CRANE Session ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A CRANE Session is a logical connection between a CRANE client and ../data/rfc/rfc3423.txt- one or multiple CRANE servers for the purpose of delivering ../data/rfc/rfc3423.txt: accounting data. Multiple sessions MAY be maintained concurrently ../data/rfc/rfc3423.txt- in a CRANE client or a CRANE server; they are distinguished by ../data/rfc/rfc3423.txt- Session IDs. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Server Priority ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: A CRANE server is assigned with a Priority value. Accounting data ../data/rfc/rfc3423.txt- is always delivered to the perceived operating CRANE server (from ../data/rfc/rfc3423.txt- the CRANE client point of view) with the highest Priority value ../data/rfc/rfc3423.txt- (the primary server) within a CRANE Session. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Message -- ../data/rfc/rfc3423.txt- optionally control or user data payload. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Data Record ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A Data Record is a collection of information gathered by the ../data/rfc/rfc3423.txt: Network Element for various purposes, e.g., accounting. The ../data/rfc/rfc3423.txt- structure of a Data Record is defined by a Template. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc3423.txt- specifies the data type, meaning, and location of the fields in ../data/rfc/rfc3423.txt- the record. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Data Sequence Number (DSN) ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: An accounting Data Record level sequence number, which is attached ../data/rfc/rfc3423.txt- to all data messages to facilitate reliable and in-sequence ../data/rfc/rfc3423.txt- delivery. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-2 Protocol Overview ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: The CRANE protocol is designed to deliver accounting data reliably, ../data/rfc/rfc3423.txt: efficiently, and quickly. Due to the nature of accounting data, ../data/rfc/rfc3423.txt- large records often need to be transmitted; thus supporting ../data/rfc/rfc3423.txt- fragmentation of large records is required. Furthermore, the value ../data/rfc/rfc3423.txt: associated with accounting data is high; to prevent data loss, quick ../data/rfc/rfc3423.txt- detection of unresponsive CRANE servers is also required for added ../data/rfc/rfc3423.txt- robustness. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- The CRANE protocol can be viewed as an application that uses the data ../data/rfc/rfc3423.txt- transport service provided by lower layer protocols. It relies on a -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- 1. Session level authentication. ../data/rfc/rfc3423.txt- 2. Message based data delivery (as opposed to stream based). ../data/rfc/rfc3423.txt- 3. Fast connection failure detection. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: Reliable delivery of accounting data is achieved through both the ../data/rfc/rfc3423.txt- transport layer level and the CRANE protocol level. The transport ../data/rfc/rfc3423.txt- layer acknowledgments are used to ensure quick detection of lost data ../data/rfc/rfc3423.txt- packets and unresponsive servers, while the CRANE protocol ../data/rfc/rfc3423.txt- acknowledges CRANE messages after they have been processed and the ../data/rfc/rfc3423.txt: accounting information has been placed in persistent storage. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: Being a reliable protocol for delivering accounting data, traffic ../data/rfc/rfc3423.txt: flowing from a CRANE client to a CRANE server is mostly accounting ../data/rfc/rfc3423.txt- data. There are also bi-directional control message exchanges, ../data/rfc/rfc3423.txt- though they only comprise of small portion of the traffic. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-2.3 Alternate servers ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- For purposes of improved reliability and robustness, redundant CRANE ../data/rfc/rfc3423.txt- server configuration MAY be employed. The CRANE protocol supports ../data/rfc/rfc3423.txt: delivering accounting data to alternate CRANE servers, which may be ../data/rfc/rfc3423.txt- part of a mediation system or a BSS. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A CRANE session may comprise of one or more CRANE servers. The CRANE ../data/rfc/rfc3423.txt- client is responsible for configuring network addresses of all CRANE ../data/rfc/rfc3423.txt- servers belonging to the session. A Server Priority is assigned to ../data/rfc/rfc3423.txt- each CRANE server. The Server Priority reflects the CRANE client's ../data/rfc/rfc3423.txt: preference regarding which CRANE server should receive accounting ../data/rfc/rfc3423.txt- data. The assignment of the Server Priority should consider factors ../data/rfc/rfc3423.txt- such as geographical distance, communication cost, and CRANE server ../data/rfc/rfc3423.txt- loading, etc. It is also possible for several CRANE servers to have ../data/rfc/rfc3423.txt- the same priority. In this case, the CRANE client could randomly ../data/rfc/rfc3423.txt: choose one of them as the primary server to deliver accounting data. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-Zhang & Elkin Informational [Page 7] ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc3423.txt- Additional features such as load balancing may be implemented in a ../data/rfc/rfc3423.txt- multi-server environment. The process of configuring CRANE client is ../data/rfc/rfc3423.txt- carried out using the NE's configuration system and is outside the ../data/rfc/rfc3423.txt- scope of this document. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: A CRANE client MUST deliver accounting data to its perceived ../data/rfc/rfc3423.txt- operating CRANE server with the highest priority; if this CRANE ../data/rfc/rfc3423.txt- server is deemed unreachable, the CRANE client MUST deliver the ../data/rfc/rfc3423.txt: accounting data to the next highest priority CRANE server that is ../data/rfc/rfc3423.txt- perceived to be operating. If no perceived operating CRANE servers ../data/rfc/rfc3423.txt: are available, accounting data MUST be queued in the CRANE client ../data/rfc/rfc3423.txt- until any CRANE server is available or the client's queue space runs ../data/rfc/rfc3423.txt- out. An alarm should be generated to inform the CRANE user of the ../data/rfc/rfc3423.txt- queue overflow condition. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: Accounting data delivery SHOULD revert to the higher priority server ../data/rfc/rfc3423.txt- when it is perceived to be operating again. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- The CRANE protocol does not specify how a CRANE client should ../data/rfc/rfc3423.txt: redirect accounting data to other CRANE servers, which is considered ../data/rfc/rfc3423.txt- an implementation issue. But all the supporting mechanisms are ../data/rfc/rfc3423.txt- provided by the protocol to work in a multiple-server environment ../data/rfc/rfc3423.txt- (e.g., the template negotiation process, and configuration ../data/rfc/rfc3423.txt- procedures, etc.). The transport layer (together with some other ../data/rfc/rfc3423.txt- means) is responsible for monitoring server's responsiveness and -- ../data/rfc/rfc3423.txt- issue and should occur under the following conditions: ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A) Transport layer notifies the CRANE client that the ../data/rfc/rfc3423.txt- corresponding port of the CRANE server is unresponsive. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: B) Total size of unacknowledged accounting records has exceeded a ../data/rfc/rfc3423.txt- threshold (configurable) for certain duration (configurable). ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- C) A STOP message is received from the active server. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- D) A lower priority server is the active one and a higher priority -- ../data/rfc/rfc3423.txt-RFC 3423 XACCT's CRANE Protocol Specification November 2002 ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-2.4 Templates ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: The CRANE protocol enables efficient delivery of accounting data. ../data/rfc/rfc3423.txt- This is achieved by negotiating a set of Data Templates for a CRANE ../data/rfc/rfc3423.txt: session before actual accounting data is delivered. A data template ../data/rfc/rfc3423.txt- defines the structure of a DATA message payload by describing the ../data/rfc/rfc3423.txt- data type, meaning, and location of the fields in the payload. By ../data/rfc/rfc3423.txt- agreeing on session templates, CRANE servers understand how to ../data/rfc/rfc3423.txt- process DATA messages received from a CRANE client. As a result, a ../data/rfc/rfc3423.txt: CRANE client only needs to deliver actual accounting data without ../data/rfc/rfc3423.txt- attaching any descriptors of the data; this reduces the amount of ../data/rfc/rfc3423.txt- bytes sent over communication links. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- A template is an ordered list of keys. A key is the specification of ../data/rfc/rfc3423.txt: a field in the template. It specifies an accounting item that a ../data/rfc/rfc3423.txt- network element MAY collect and export. The specification MUST ../data/rfc/rfc3423.txt: consist of the description and the data type of the accounting item. ../data/rfc/rfc3423.txt- (e.g., 'Number of Sent Bytes' can be a key that is an unsigned ../data/rfc/rfc3423.txt- integer of 32 bit long). A CRANE client typically defines keys. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- The CRANE protocol supports usage of several templates concurrently ../data/rfc/rfc3423.txt: (for different accounting records). Keys contained in a template ../data/rfc/rfc3423.txt- could be enabled or disabled. An enabled key implies that the ../data/rfc/rfc3423.txt- outgoing data record will contain the data item specified by the key. ../data/rfc/rfc3423.txt- A disabled key implies that the outgoing record will omit the ../data/rfc/rfc3423.txt- specified data item. The enabling/disabling mechanism further ../data/rfc/rfc3423.txt- reduces bandwidth requirement; it could also reduce processing in -- ../data/rfc/rfc3423.txt- priority within the CRANE session). Each DATA message contains a ../data/rfc/rfc3423.txt- Data Sequence Number (DSN). The primary CRANE server MUST accept the ../data/rfc/rfc3423.txt- data as long as it is in-sequence. Out-of-sequence DATA messages ../data/rfc/rfc3423.txt- should be discarded. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: The CRANE server detects the start of accounting data when it ../data/rfc/rfc3423.txt- receives the first DATA message either after startup or after a ../data/rfc/rfc3423.txt- server transition. The first DATA message MUST have the 'S' bit ../data/rfc/rfc3423.txt- ('DSN Synchronize' bit) set by the CRANE client. Upon reception of ../data/rfc/rfc3423.txt- the message with initial DSN, the server MUST accept all in-sequence ../data/rfc/rfc3423.txt- DATA messages. The DSN MUST be incremented by 1 for each new DATA -- ../data/rfc/rfc3423.txt- messages. A server MAY issue a STATUS REQ to a CRANE client and ../data/rfc/rfc3423.txt- receive a STATUS RSP message with the requested data. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-2.9 CRANE Sessions ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: A CRANE client MAY deliver accounting data to different ../data/rfc/rfc3423.txt- mediation/billing systems by establishing different CRANE sessions. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-Zhang & Elkin Informational [Page 13] -- ../data/rfc/rfc3423.txt- MUST be incremented by one for each new record transmitted. The ../data/rfc/rfc3423.txt- selection of the initial DSN number is implementation specific. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt- Record Data: Variable Length unsigned octets ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt: The Record Data field carries the actual accounting/billing data ../data/rfc/rfc3423.txt- that is structured according to the template identified by the ../data/rfc/rfc3423.txt- Template ID field. ../data/rfc/rfc3423.txt- ../data/rfc/rfc3423.txt-4.17 Data Acknowledge (DATA ACK) ../data/rfc/rfc3423.txt- -- ../data/rfc/rfc2500.txt--------- Transmission of IPv6 Packets over IPv4 2529* ../data/rfc/rfc2500.txt--------- Reserved IPv6 Subnet Anycast Addresses 2526* ../data/rfc/rfc2500.txt-WEBDAV HTTP Ext. for Distributed Authoring 2518* ../data/rfc/rfc2500.txt-ATM-MIBMAN MIB for ATM Management 2515* ../data/rfc/rfc2500.txt-ATM-TC-OID ATM Textual Conventions and OIDs 2514* ../data/rfc/rfc2500.txt:-------- Connection-Oriented Accounting MIB 2513* ../data/rfc/rfc2500.txt:-------- Accounting Information for ATM Networks 2512* ../data/rfc/rfc2500.txt-X.509-CRMF Internet X.509 CRMF 2511* ../data/rfc/rfc2500.txt-PKICMP Internet X.509 PKI CMP 2510* ../data/rfc/rfc2500.txt-IPCOM-PPP IP Header Compression over PPP 2509* ../data/rfc/rfc2500.txt--------- Compressing IP/UDP/RTP Headers 2508* ../data/rfc/rfc2500.txt--------- IP Header Compression 2507* -- ../data/rfc/rfc2500.txt- ../data/rfc/rfc2500.txt-RFC 2500 Internet Standards June 1999 ../data/rfc/rfc2500.txt- ../data/rfc/rfc2500.txt- ../data/rfc/rfc2500.txt-CAST-128 CAST-128 Encryption Algorithm 2144 ../data/rfc/rfc2500.txt:RADIUS-ACC RADIUS Accounting 2139 ../data/rfc/rfc2500.txt-DLSCAP Data Link Switching Client Access Protocol 2114 ../data/rfc/rfc2500.txt-PNG Portable Network Graphics Version 1.0 2083 ../data/rfc/rfc2500.txt-RC5 RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms 2040 ../data/rfc/rfc2500.txt-SNTP Simple Network Time Protocol v4 for IPv4, IPv6 and OSI 2030 ../data/rfc/rfc2500.txt-PGP-MEF PGP Message Exchange Formats 1991 -- ../data/rfc/rfc8506.txt- BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all ../data/rfc/rfc8506.txt- capitals, as shown here. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt-1.2. Terminology ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: AAA: Authentication, Authorization, and Accounting. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- AA-Answer: "AA-Answer" generically refers to a service-specific ../data/rfc/rfc8506.txt- authorization and authentication answer. AA-Answer commands are ../data/rfc/rfc8506.txt- defined in service-specific authorization applications, e.g., ../data/rfc/rfc8506.txt- [RFC7155] [RFC4004]. -- ../data/rfc/rfc8506.txt- Capabilities-Exchange-Request and Capabilities-Exchange-Answer ../data/rfc/rfc8506.txt- commands [RFC6733]. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt-2. Architecture Models ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: The current accounting models specified in the RADIUS accounting and ../data/rfc/rfc8506.txt- Diameter base specifications [RFC2866] [RFC6733] are not sufficient ../data/rfc/rfc8506.txt- for real-time credit-control, where creditworthiness is to be ../data/rfc/rfc8506.txt- determined prior to service initiation. Also, the existing Diameter ../data/rfc/rfc8506.txt- authorization applications [RFC7155] [RFC4004] only provide service ../data/rfc/rfc8506.txt- authorization; they do not provide credit authorization for prepaid -- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- A Service Element may authenticate and authorize the end user with ../data/rfc/rfc8506.txt- the AAA server by using AAA protocols, e.g., RADIUS or the Diameter ../data/rfc/rfc8506.txt- base protocol (possibly extended via a Diameter application). ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: Accounting protocols such as RADIUS accounting and the Diameter base ../data/rfc/rfc8506.txt: accounting protocol can be used to provide accounting data to the ../data/rfc/rfc8506.txt: accounting server after service is initiated and to provide possible ../data/rfc/rfc8506.txt- interim reports until service completion. However, for real-time ../data/rfc/rfc8506.txt: credit-control, these authorization and accounting models are not ../data/rfc/rfc8506.txt- sufficient. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- When real-time credit-control is required, the credit-control client ../data/rfc/rfc8506.txt- contacts the credit-control server with information about a possible ../data/rfc/rfc8506.txt- service event. The credit-control process is performed to determine -- ../data/rfc/rfc8506.txt- The Diameter Credit-Control client in the Service Element may get ../data/rfc/rfc8506.txt- information from the authorization server as to whether ../data/rfc/rfc8506.txt- credit-control is required, based on its knowledge of the end user. ../data/rfc/rfc8506.txt- If credit-control is required, the credit-control server needs to be ../data/rfc/rfc8506.txt- contacted prior to initiating service delivery to the end user. The ../data/rfc/rfc8506.txt: accounting protocol and the credit-control protocol can be used in ../data/rfc/rfc8506.txt- parallel. The authorization server may also determine whether the ../data/rfc/rfc8506.txt: parallel accounting stream is required. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- -- ../data/rfc/rfc8506.txt- examples are given in Appendix A. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- Diameter ../data/rfc/rfc8506.txt- End User Service Element AAA Server CC Server ../data/rfc/rfc8506.txt- (CC Client) ../data/rfc/rfc8506.txt: | Registration | AA-Request/Answer(accounting, CC, or both)| ../data/rfc/rfc8506.txt- |<----------------->|<------------------>| | ../data/rfc/rfc8506.txt- | : | | | ../data/rfc/rfc8506.txt- | : | | | ../data/rfc/rfc8506.txt- | Service Request | | | ../data/rfc/rfc8506.txt- |------------------>| | | ../data/rfc/rfc8506.txt- | | CCR(Initial, Credit-Control AVPs) | ../data/rfc/rfc8506.txt- | +|------------------------------------------>| ../data/rfc/rfc8506.txt- | CC stream|| | CCA(Granted-Units)| ../data/rfc/rfc8506.txt- | +|<------------------------------------------| ../data/rfc/rfc8506.txt- | Service Delivery | | | ../data/rfc/rfc8506.txt: |<----------------->| ACR(start, Accounting AVPs) | ../data/rfc/rfc8506.txt- | : |------------------->|+ | ../data/rfc/rfc8506.txt: | : | ACA || Accounting stream | ../data/rfc/rfc8506.txt- | |<-------------------|+ | ../data/rfc/rfc8506.txt- | : | | | ../data/rfc/rfc8506.txt- | : | | | ../data/rfc/rfc8506.txt- | | CCR(Update, Used-Units) | ../data/rfc/rfc8506.txt- | |------------------------------------------>| -- ../data/rfc/rfc8506.txt- | | ACR(stop) | | ../data/rfc/rfc8506.txt- | |------------------->| | ../data/rfc/rfc8506.txt- | | ACA | | ../data/rfc/rfc8506.txt- | |<-------------------| | ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: ACR: Accounting-Request ../data/rfc/rfc8506.txt: ACA: Accounting-Answer ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- Figure 3: Protocol Example with First Interrogation ../data/rfc/rfc8506.txt- after User's Authorization/Authentication ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- -- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt-RFC 8506 Diameter Credit-Control Application March 2019 ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- Figure 4 illustrates the use of authorization/authentication messages ../data/rfc/rfc8506.txt: to perform the first interrogation. The parallel accounting stream ../data/rfc/rfc8506.txt- is not shown in the figure. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- Diameter ../data/rfc/rfc8506.txt- Service Element AAA Server CC Server ../data/rfc/rfc8506.txt- End User (CC Client) -- ../data/rfc/rfc8506.txt-Bertz, et al. Standards Track [Page 41] ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt-RFC 8506 Diameter Credit-Control Application March 2019 ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: The authorization server MAY include the Accounting-Realtime-Required ../data/rfc/rfc8506.txt: AVP to determine what to do if the sending of accounting records to ../data/rfc/rfc8506.txt: the accounting server has been temporarily prevented, as defined in ../data/rfc/rfc8506.txt- [RFC6733]. It is RECOMMENDED that the client complement the ../data/rfc/rfc8506.txt: credit-control failure procedures with a backup accounting flow ../data/rfc/rfc8506.txt: toward an accounting server. By using different combinations of the ../data/rfc/rfc8506.txt: Accounting-Realtime-Required AVP and the CCFH, different safety ../data/rfc/rfc8506.txt- levels can be built. For example, by choosing a CCFH equal to ../data/rfc/rfc8506.txt: CONTINUE for the credit-control flow and an Accounting-Realtime- ../data/rfc/rfc8506.txt: Required AVP equal to DELIVER_AND_GRANT for the accounting flow, the ../data/rfc/rfc8506.txt- service can be granted to the end user even if the connection to the ../data/rfc/rfc8506.txt: credit-control server is down, as long as the accounting server is ../data/rfc/rfc8506.txt: able to collect the accounting information and information exchange ../data/rfc/rfc8506.txt: is taking place between the accounting server and credit-control ../data/rfc/rfc8506.txt- server. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- As the credit-control application is based on real-time bidirectional ../data/rfc/rfc8506.txt- communication between the credit-control client and the ../data/rfc/rfc8506.txt- credit-control server, the usage of alternative destinations and the -- ../data/rfc/rfc8506.txt- Schooler, "SIP: Session Initiation Protocol", RFC 3261, ../data/rfc/rfc8506.txt- DOI 10.17487/RFC3261, June 2002, ../data/rfc/rfc8506.txt- <https://www.rfc-editor.org/info/rfc3261>. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc8506.txt: Accounting (AAA) Transport Profile", RFC 3539, ../data/rfc/rfc8506.txt- DOI 10.17487/RFC3539, June 2003, ../data/rfc/rfc8506.txt- <https://www.rfc-editor.org/info/rfc3539>. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform ../data/rfc/rfc8506.txt- Resource Identifier (URI): Generic Syntax", STD 66, -- ../data/rfc/rfc8506.txt-RFC 8506 Diameter Credit-Control Application March 2019 ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt-16.2. Informative References ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc8506.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc8506.txt- <https://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc8506.txt- ../data/rfc/rfc8506.txt- [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, ../data/rfc/rfc8506.txt- "IEEE 802.1X Remote Authentication Dial In User Service -- ../data/rfc/rfc3700.txt--------- Transport Layer Security (TLS) Extensions 3546 ../data/rfc/rfc3700.txt--------- Enhanced Compressed RTP (CRTP) for Links with High 3545 ../data/rfc/rfc3700.txt- Delay, Packet Loss and Reordering ../data/rfc/rfc3700.txt-IPCOM-PPP IP Header Compression over PPP 3544 ../data/rfc/rfc3700.txt--------- Registration Revocation in Mobile IPv4 3543 ../data/rfc/rfc3700.txt:-------- Authentication, Authorization and Accounting (AAA) 3539 ../data/rfc/rfc3700.txt- Transport Profile ../data/rfc/rfc3700.txt--------- Wrapping a Hashed Message Authentication Code (HMAC) 3537 ../data/rfc/rfc3700.txt- key with a Triple-Data Encryption Standard (DES) Key ../data/rfc/rfc3700.txt- or an Advanced Encryption Standard (AES) Key ../data/rfc/rfc3700.txt--------- The application/ogg Media Type 3534 -- ../data/rfc/rfc3700.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc3700.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc3700.txt-ATM-TC-OID Definitions of Textual Conventions and 2514 ../data/rfc/rfc3700.txt- OBJECT-IDENTITIES for ATM Management ../data/rfc/rfc3700.txt--------- Managed Objects for Controlling the Collection and 2513 ../data/rfc/rfc3700.txt: Storage of Accounting Information for ../data/rfc/rfc3700.txt- Connection-Oriented Networks ../data/rfc/rfc3700.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc3700.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc3700.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc3700.txt- Management Protocols ../data/rfc/rfc3700.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 ../data/rfc/rfc3700.txt- Links -- ../data/rfc/rfc3700.txt- Control Protocol Transport Mapping ../data/rfc/rfc3700.txt--------- Select and Sort Extensions for the Service Location 3421 ../data/rfc/rfc3700.txt- Protocol (SLP) ../data/rfc/rfc3700.txt--------- The Application Exchange (APEX) Presence Service 3343 ../data/rfc/rfc3700.txt--------- Dual Stack Hosts Using "Bump-in-the-API" (BIA) 3338 ../data/rfc/rfc3700.txt:-------- Policy-Based Accounting 3334 ../data/rfc/rfc3700.txt--------- PGM Reliable Transport Protocol Specification 3208 ../data/rfc/rfc3700.txt--------- Domain Security Services using S/MIME 3183 ../data/rfc/rfc3700.txt-SMX Script MIB Extensibility Protocol Version 1.1 3179 ../data/rfc/rfc3700.txt--------- ISO/IEC 9798-3 Authentication SASL Mechanism 3163 ../data/rfc/rfc3700.txt- -- ../data/rfc/rfc4365.txt- to attach a remote user or site to a VRF. The authentication ../data/rfc/rfc4365.txt- procedure in this case is part of IPsec, not part of the VPN scheme. ../data/rfc/rfc4365.txt- ../data/rfc/rfc4365.txt- Where L2TP is used, each PPP session carried in an L2TP tunnel can be ../data/rfc/rfc4365.txt- associated with a VRF. The SP's Authentication, Authorization, and ../data/rfc/rfc4365.txt: Accounting (AAA) server can be used to determine the VPN to which the ../data/rfc/rfc4365.txt- PPP session belongs, and then the customer's AAA server can be given ../data/rfc/rfc4365.txt- the opportunity to authenticate that session as well. ../data/rfc/rfc4365.txt- ../data/rfc/rfc4365.txt-6. Security Considerations ../data/rfc/rfc4365.txt- -- ../data/rfc/rfc4365.txt- ../data/rfc/rfc4365.txt- Devices supporting BGP/MPLS IP VPNs that employ the management ../data/rfc/rfc4365.txt- interface characteristics described above will also support the ITU-T ../data/rfc/rfc4365.txt- Telecommunications Management Network Model "FCAPS" functionalities ../data/rfc/rfc4365.txt- as required in the L3VPN Requirements document. These include Fault, ../data/rfc/rfc4365.txt: Configuration, Accounting, Provisioning, and Security. ../data/rfc/rfc4365.txt- ../data/rfc/rfc4365.txt- In BGP/MPLS IP VPNs, the SP is not required to manage the CE devices. ../data/rfc/rfc4365.txt- However, if it is desired for the SP to do so, the SP may manage CE ../data/rfc/rfc4365.txt- devices from a central site, provided that a route to the central ../data/rfc/rfc4365.txt- site is exported into the CE's VPN, and the central site is in a VPN -- ../data/rfc/rfc2094.txt- ../data/rfc/rfc2094.txt- There are some life cycle and security concerns with the software ../data/rfc/rfc2094.txt- while in transit, stored, distributed, and installed. A one time ../data/rfc/rfc2094.txt- start-up procedure must verify the identity of the host. Procedural ../data/rfc/rfc2094.txt- and physical identification techniques will verify the identity of ../data/rfc/rfc2094.txt: the host (i.e., the Armed Forces Courier Service (ARFCS) accounting, ../data/rfc/rfc2094.txt- or registered mail). Upon key delivery the security manager logs ../data/rfc/rfc2094.txt- it's receipt and assumes responsibility for the key. ../data/rfc/rfc2094.txt- ../data/rfc/rfc2094.txt- After proper installation of the software a paper trail verifies the ../data/rfc/rfc2094.txt- recipient. The computer would initiate an association with the -- ../data/rfc/rfc2094.txt- Compromise recovery management If a group member is found ../data/rfc/rfc2094.txt- compromised, the protocol must facilitate the exclusion of the ../data/rfc/rfc2094.txt- compromised member and return to secure operations. The security ../data/rfc/rfc2094.txt- management function will provide control of compromise recovery. ../data/rfc/rfc2094.txt- ../data/rfc/rfc2094.txt: Usually, physical inspections or accounting techniques find ../data/rfc/rfc2094.txt- compromises. These separate systems report the compromise to the key ../data/rfc/rfc2094.txt- management system. We must assume the loss of all key resident at ../data/rfc/rfc2094.txt- that host. The security management function will rescind the ../data/rfc/rfc2094.txt- permission allocated to this compromised host. We create a list of ../data/rfc/rfc2094.txt- all know compromised hosts and distribution that list across the -- ../data/rfc/rfc1017.txt- of link level or end-to-end encryption, or other such methods that ../data/rfc/rfc1017.txt- can be added at a later time. An example of this kind of capability ../data/rfc/rfc1017.txt- would be use of KG-84A link encryptors on MILNET or the Fig Leaf ../data/rfc/rfc1017.txt- DES-based end-to-end encryption box developed by DARPA. ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt:Accounting ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt: The network should provide adequate accounting procedures to track ../data/rfc/rfc1017.txt: the consumption of network resources. Accounting of network ../data/rfc/rfc1017.txt- resources is also important for the management of the network, and ../data/rfc/rfc1017.txt- particularly the management of interconnections with other networks. ../data/rfc/rfc1017.txt: Proper use of the accounting database should allow network management ../data/rfc/rfc1017.txt- personnel to determine the "flows" of data on the network, and the ../data/rfc/rfc1017.txt- identification of bottlenecks in network resources. This capability ../data/rfc/rfc1017.txt- also has secondary value in tracking down intrusions of the network, ../data/rfc/rfc1017.txt- and to provide an audit trail if malicious abuse should occur. In ../data/rfc/rfc1017.txt: addition, accounting of higher level network services (such as ../data/rfc/rfc1017.txt- terminal serving) should be kept track of for the same reasons. ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt-Type of Service Routing ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt- Type of service routing is necessary since not all elements of -- ../data/rfc/rfc1017.txt-Leiner [Page 17] ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt-RFC 1017 Requirements for Scientific Research August 1987 ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt:Accounting ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt: To permit auditing of usage, accounting information should be ../data/rfc/rfc1017.txt- provided for those resources for which it is deemed necessary. This ../data/rfc/rfc1017.txt- would include identity of the user of the resource and the ../data/rfc/rfc1017.txt- corresponding volume of resource components. ../data/rfc/rfc1017.txt- ../data/rfc/rfc1017.txt-Legalities of Interagency Research Internet -- ../data/rfc/rfc170.txt- Meeting) 22 April 1971 5849 131 ../data/rfc/rfc170.txt-White Typographical Error in RFC 107 28 April 1971 6708 132 ../data/rfc/rfc170.txt-Sundberg File Transfer and Recovery 27 April 1971 6710 133 ../data/rfc/rfc170.txt-Vezza Network Graphics Meeting 29 April 1971 6711 134 ../data/rfc/rfc170.txt-Hathaway Response to NWG/RFC 110 29 April 1971 6712 135 ../data/rfc/rfc170.txt:Kahn Host Accounting and Administrative ../data/rfc/rfc170.txt- Procedures 29 April 1971 6713 136 ../data/rfc/rfc170.txt-O'Sullivan TELNET Protocol -- A Proposed ../data/rfc/rfc170.txt- Document 30 April 1971 6714 137 ../data/rfc/rfc170.txt-O'Sullivan TELNET Protocol -- A Proposed ../data/rfc/rfc170.txt- Document (rev.) 8 May 1971 6703 rev 137 -- ../data/rfc/rfc7029.txt- ../data/rfc/rfc7029.txt- Consider the following example. A relatively untrusted service, say ../data/rfc/rfc7029.txt- a print server, has been compromised. A user is attempting to ../data/rfc/rfc7029.txt- connect to a trusted service such as a financial application. Both ../data/rfc/rfc7029.txt- the print server and the financial application use an Authentication, ../data/rfc/rfc7029.txt: Authorization, and Accounting protocol (AAA) to transport EAP ../data/rfc/rfc7029.txt- authentication back to the user's EAP server. The print server ../data/rfc/rfc7029.txt- mounts a man-in-the-middle attack on the user's connection to the ../data/rfc/rfc7029.txt- financial application and claims to be the application. ../data/rfc/rfc7029.txt- ../data/rfc/rfc7029.txt- The print server offers a tunnel method towards the peer. The print -- ../data/rfc/rfc4230.txt- when exchanging policy information. Hence, we can assume that ../data/rfc/rfc4230.txt- the policy decision point may use information from an initial ../data/rfc/rfc4230.txt- authentication and key agreement protocol (which may have already ../data/rfc/rfc4230.txt- required cross-realm communication with the user's home domain, ../data/rfc/rfc4230.txt- if only to show that the home domain knows the user and that the ../data/rfc/rfc4230.txt: user is entitled to roam), to forward accounting messages to this ../data/rfc/rfc4230.txt- domain. This represents the traditional subscriber-based ../data/rfc/rfc4230.txt: accounting scenario. Non-traditional or alternative means of ../data/rfc/rfc4230.txt- access might be deployed in the near future that do not require ../data/rfc/rfc4230.txt- any type of inter-domain communication. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- Additional discussions are required to determine the expected ../data/rfc/rfc4230.txt- authorization procedures. [34] and [35] discuss authorization -- ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- [33] Raeburn, K., "Encryption and Checksum Specifications for ../data/rfc/rfc4230.txt- Kerberos 5", RFC 3961, February 2005. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- [34] Tschofenig, H., Buechli, M., Van den Bosch, S., and H. ../data/rfc/rfc4230.txt: Schulzrinne, "NSIS Authentication, Authorization and Accounting ../data/rfc/rfc4230.txt- Issues", Work in Progress, March 2003. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt-Tschofenig & Graveman Informational [Page 42] -- ../data/rfc/rfc4230.txt- Work in Progress, October 2005. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- [41] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC ../data/rfc/rfc4230.txt- 4306, November 2005. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt: [42] Herzog, S., "Accounting and Access Control in RSVP", PhD ../data/rfc/rfc4230.txt- Dissertation, USC, Work in Progress, November 1995. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt: [43] Herzog, S., "Accounting and Access Control for Multicast ../data/rfc/rfc4230.txt- Distributions: Models and Mechanisms", June 1996. ../data/rfc/rfc4230.txt- ../data/rfc/rfc4230.txt- [44] Pato, J., "Using Pre-Authentication to Avoid Password Guessing ../data/rfc/rfc4230.txt- Attacks", Open Software Foundation DCE Request for Comments, ../data/rfc/rfc4230.txt- December 1992. -- ../data/rfc/rfc6611.txt- ../data/rfc/rfc6611.txt- In the integrated scenario, the bootstrapping of the home agent ../data/rfc/rfc6611.txt- information can be achieved via DHCPv6. This document defines the ../data/rfc/rfc6611.txt- MIPv6 bootstrapping procedures for the integrated scenario. It ../data/rfc/rfc6611.txt- enables home agent assignment in the integrated scenario by utilizing ../data/rfc/rfc6611.txt: DHCP and Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6611.txt- protocols. The specification utilizes DHCP and AAA options and ../data/rfc/rfc6611.txt- attribute-value pairs (AVPs) that are defined in [RFC6610] and ../data/rfc/rfc6611.txt- [RFC5447]. This document specifies the interworking among Mobile ../data/rfc/rfc6611.txt- Node (MN), Network Access Server (NAS), DHCP, and AAA entities for ../data/rfc/rfc6611.txt- the bootstrapping procedure in the integrated scenario. -- ../data/rfc/rfc7458.txt- protocol is required for mobile devices to access the mobile Evolved ../data/rfc/rfc7458.txt- Packet Core (EPC) via Wi-Fi networks. This document defines a few ../data/rfc/rfc7458.txt- new EAP attributes to enable the above-mentioned functions in such ../data/rfc/rfc7458.txt- networks. The attributes are exchanged between a client (such as a ../data/rfc/rfc7458.txt- Mobile Node (MN)) and its network counterpart (such as an ../data/rfc/rfc7458.txt: Authentication, Authorization, and Accounting (AAA) server) in the ../data/rfc/rfc7458.txt- service provider's infrastructure. ../data/rfc/rfc7458.txt- ../data/rfc/rfc7458.txt-Status of This Memo ../data/rfc/rfc7458.txt- ../data/rfc/rfc7458.txt- This document is not an Internet Standards Track specification; it is -- ../data/rfc/rfc8272.txt-Schmitt, et al. Informational [Page 9] ../data/rfc/rfc8272.txt- ../data/rfc/rfc8272.txt-RFC 8272 TinyIPFIX November 2017 ../data/rfc/rfc8272.txt- ../data/rfc/rfc8272.txt- ../data/rfc/rfc8272.txt: Applications that use smart sensors for accounting purposes for long- ../data/rfc/rfc8272.txt- term measurements can benefit from the use of TinyIPFIX. One ../data/rfc/rfc8272.txt- application for IPFIX is long-term monitoring of large physical ../data/rfc/rfc8272.txt- volumes. In [Tolle05], Tolle et al. built a system for monitoring a ../data/rfc/rfc8272.txt- "70-meter tall redwood tree, at a density interval of 5 minutes in ../data/rfc/rfc8272.txt- time and 2 meters in space". The sensor node infrastructure was -- ../data/rfc/rfc8272.txt- combines several TinyIPFIX Messages into a single TinyIPFIX ../data/rfc/rfc8272.txt- Message before forwarding them. ../data/rfc/rfc8272.txt- ../data/rfc/rfc8272.txt- 3. The application must accept potential packet loss. TinyIPFIX ../data/rfc/rfc8272.txt- only fits for applications where metering data is stored for ../data/rfc/rfc8272.txt: accounting purposes and not for applications where the sensor ../data/rfc/rfc8272.txt- data triggers configuration changes or policy decisions, except ../data/rfc/rfc8272.txt- when Message loss is acceptable for some reason. ../data/rfc/rfc8272.txt- ../data/rfc/rfc8272.txt- 4. The application must not require per-message export timestamps ../data/rfc/rfc8272.txt- (e.g., for auditing). TinyIPFIX removes export timestamps, -- ../data/rfc/rfc5772.txt- The routing system should be sufficiently flexible to accommodate the ../data/rfc/rfc5772.txt- continually changing business relationships of the providers and the ../data/rfc/rfc5772.txt- various levels of trustworthiness that they apply to customers and ../data/rfc/rfc5772.txt- partners. ../data/rfc/rfc5772.txt- ../data/rfc/rfc5772.txt: Service providers will need to be involved in accounting for Internet ../data/rfc/rfc5772.txt- usage and monitoring the traffic. They may be involved in government ../data/rfc/rfc5772.txt- action to tax the usage of the Internet, enforce social mores and ../data/rfc/rfc5772.txt- intellectual property rules, or apply surveillance to the traffic to ../data/rfc/rfc5772.txt- detect or prevent crime. ../data/rfc/rfc5772.txt- -- ../data/rfc/rfc5772.txt- At present, there is an almost total lack of effective traffic ../data/rfc/rfc5772.txt- engineering tools, whether in real time for network control or off- ../data/rfc/rfc5772.txt- line for network planning. The routing system should encourage the ../data/rfc/rfc5772.txt- provision of such tools. ../data/rfc/rfc5772.txt- ../data/rfc/rfc5772.txt: R(41) The routing system must generate statistical and accounting ../data/rfc/rfc5772.txt- information in such a way that traffic engineering and network ../data/rfc/rfc5772.txt- planning tools can be used in both real-time and off-line ../data/rfc/rfc5772.txt- planning and management. ../data/rfc/rfc5772.txt- ../data/rfc/rfc5772.txt-3.6.7.2. Support of Multiple Parallel Paths -- ../data/rfc/rfc2205.txt- ../data/rfc/rfc2205.txt- o Policy control ../data/rfc/rfc2205.txt- ../data/rfc/rfc2205.txt- A function that determines whether a new request for quality of ../data/rfc/rfc2205.txt- service has administrative permission to make the requested ../data/rfc/rfc2205.txt: reservation. Policy control may also perform accounting (usage ../data/rfc/rfc2205.txt- feedback) for a reservation. ../data/rfc/rfc2205.txt- ../data/rfc/rfc2205.txt- o Policy data ../data/rfc/rfc2205.txt- ../data/rfc/rfc2205.txt- Data carried in a Path or Resv message and used as input to -- ../data/rfc/rfc409.txt- Note: If the user's login directory name exceeds eight characters in ../data/rfc/rfc409.txt- length, the user must explicitly supply a user name; no default is ../data/rfc/rfc409.txt- available. ../data/rfc/rfc409.txt- ../data/rfc/rfc409.txt- Whenever SMFS interacts with the server process at Santa Barbara on ../data/rfc/rfc409.txt: the user's behalf, it does so with the accounting parameters then in ../data/rfc/rfc409.txt- the accumulators. ../data/rfc/rfc409.txt- ../data/rfc/rfc409.txt- ../data/rfc/rfc409.txt- ../data/rfc/rfc409.txt- -- ../data/rfc/rfc6959.txt- 3.1.1. Single-Packet Attacks ...............................6 ../data/rfc/rfc6959.txt- 3.1.2. Flood-Based DoS .....................................7 ../data/rfc/rfc6959.txt- 3.1.3. Poisoning Attacks ...................................8 ../data/rfc/rfc6959.txt- 3.1.4. Spoof-Based Worm/Malware Propagation ................8 ../data/rfc/rfc6959.txt- 3.1.5. Reflective Attacks ..................................8 ../data/rfc/rfc6959.txt: 3.1.6. Accounting Subversion ...............................9 ../data/rfc/rfc6959.txt- 3.1.7. Other Blind Spoofing Attacks ........................9 ../data/rfc/rfc6959.txt- 3.2. Non-blind Attacks ..........................................9 ../data/rfc/rfc6959.txt- 3.2.1. Man in the Middle (MITM) ............................9 ../data/rfc/rfc6959.txt- 3.2.2. Third-Party Recon ..................................10 ../data/rfc/rfc6959.txt- 3.2.3. Other Non-blind Spoofing Attacks ...................10 -- ../data/rfc/rfc6959.txt- attacker and generating a large amount of ICMP echo response traffic ../data/rfc/rfc6959.txt- directed towards a target system. These attacks have been ../data/rfc/rfc6959.txt- particularly effective in large campus LAN environments where 50K or ../data/rfc/rfc6959.txt- more hosts might reside on a single subnet. ../data/rfc/rfc6959.txt- ../data/rfc/rfc6959.txt:3.1.6. Accounting Subversion ../data/rfc/rfc6959.txt- ../data/rfc/rfc6959.txt- If an attacker wishes to distribute content or other material in a ../data/rfc/rfc6959.txt- manner that employs protocols that require only unidirectional ../data/rfc/rfc6959.txt- flooding and generate no end-to-end transactional state, they may ../data/rfc/rfc6959.txt- desire to spoof the source IP address of that content in order to ../data/rfc/rfc6959.txt: avoid detection or accounting functions enabled at the IP layer. ../data/rfc/rfc6959.txt- While this particular attack has not been observed, it is included ../data/rfc/rfc6959.txt- here to reflect the range of power that spoofed addresses may have, ../data/rfc/rfc6959.txt- even without the ability to receive responses. ../data/rfc/rfc6959.txt- ../data/rfc/rfc6959.txt-3.1.7. Other Blind Spoofing Attacks -- ../data/rfc/rfc765.txt- the TELNET connections are made (some servers may require ../data/rfc/rfc765.txt- this). Additional identification information in the form of ../data/rfc/rfc765.txt- a password and/or an account command may also be required by ../data/rfc/rfc765.txt- some servers. Servers may allow a new USER command to be ../data/rfc/rfc765.txt- entered at any point in order to change the access control ../data/rfc/rfc765.txt: and/or accounting information. This has the effect of ../data/rfc/rfc765.txt- flushing any user, password, and account information already ../data/rfc/rfc765.txt- supplied and beginning the login sequence again. All ../data/rfc/rfc765.txt- transfer parameters are unchanged and any file transfer in ../data/rfc/rfc765.txt- progress is completed under the old account. ../data/rfc/rfc765.txt- -- ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- CHANGE WORKING DIRECTORY (CWD) ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- This command allows the user to work with a different ../data/rfc/rfc765.txt- directory or dataset for file storage or retrieval without ../data/rfc/rfc765.txt: altering his login or accounting information. Transfer ../data/rfc/rfc765.txt- parameters are similarly unchanged. The argument is a ../data/rfc/rfc765.txt- pathname specifying a directory or other system dependent ../data/rfc/rfc765.txt- file group designator. ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- LIST (LIST) -- ../data/rfc/rfc765.txt- information, such as status or help. ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- x2z Connections - Replies referring to the TELNET and data ../data/rfc/rfc765.txt- connections. ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt: x3z Authentication and accounting - Replies for the login ../data/rfc/rfc765.txt: process and accounting procedures. ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- x4z Unspecified as yet ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- ../data/rfc/rfc765.txt- -- ../data/rfc/rfc5416.txt- involved in the access policy enforcement portion of the IEEE 802.11 ../data/rfc/rfc5416.txt- protocol. The IEEE 802.1X [IEEE.802-1X.2004], Extensible ../data/rfc/rfc5416.txt- Authentication Protocol (EAP) [RFC3748] and IEEE Robust Security ../data/rfc/rfc5416.txt- Network Association (RSNA) Key Management [IEEE.802-11.2007] ../data/rfc/rfc5416.txt- functions are also located on the AC. This implies that the ../data/rfc/rfc5416.txt: Authentication, Authorization, and Accounting (AAA) client also ../data/rfc/rfc5416.txt- resides on the AC. ../data/rfc/rfc5416.txt- ../data/rfc/rfc5416.txt- While the admission control component of IEEE 802.11 resides on the ../data/rfc/rfc5416.txt- AC, the real-time scheduling and queuing functions are on the WTP. ../data/rfc/rfc5416.txt- Note that this does not prevent the AC from providing additional -- ../data/rfc/rfc5841.txt- confused if the payload contains complex philosophical questions that ../data/rfc/rfc5841.txt- make one ponder the meaning of life and one's place in the universe. ../data/rfc/rfc5841.txt- ../data/rfc/rfc5841.txt-4.5. Bored Packets ../data/rfc/rfc5841.txt- ../data/rfc/rfc5841.txt: Packets carrying accounting data with debits, credits, and so on MUST ../data/rfc/rfc5841.txt- be marked as 'bored'. ../data/rfc/rfc5841.txt- ../data/rfc/rfc5841.txt- It could be said that many people consider RFCs boring. Packets ../data/rfc/rfc5841.txt- containing RFC text MAY be marked as 'bored'. ../data/rfc/rfc5841.txt- -- ../data/rfc/rfc3042.txt- ../data/rfc/rfc3042.txt- One could imagine some limited protection against false duplicate ../data/rfc/rfc3042.txt- ACKs for a non-SACK TCP connection, where the TCP sender keeps a ../data/rfc/rfc3042.txt- record of the number of packets transmitted, and recognizes at most ../data/rfc/rfc3042.txt- one acknowledgment per packet to be used for triggering the sending ../data/rfc/rfc3042.txt: of new data. However, this accounting of packets transmitted and ../data/rfc/rfc3042.txt- acknowledged would require additional state and extra complexity at ../data/rfc/rfc3042.txt- the TCP sender, and does not seem necessary. ../data/rfc/rfc3042.txt- ../data/rfc/rfc3042.txt- The most important protection against false duplicate ACKs comes from ../data/rfc/rfc3042.txt- the limited potential of duplicate ACKs in subverting end-to-end -- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2989 Aboba Nov 2000 Criteria for Evaluating AAA ../data/rfc/rfc2999.txt- Protocols for Network Access ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-This document represents a summary of Authentication, Authorization, ../data/rfc/rfc2999.txt:Accounting (AAA) protocol requirements for network access. This memo ../data/rfc/rfc2999.txt-provides information for the Internet community. ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-Ginoza Informational [Page 3] -- ../data/rfc/rfc2999.txt-document specifies an Internet Best Current Practices for the Internet ../data/rfc/rfc2999.txt-Community, and requests discussion and suggestions for improvements. ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2977 Glass Oct 2000 Mobile IP Authentication, ../data/rfc/rfc2999.txt: Authorization, and Accounting ../data/rfc/rfc2999.txt- Requirements ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-This document contains the requirements which would have to be supported ../data/rfc/rfc2999.txt-by a AAA service to aid in providing Mobile IP services. This memo ../data/rfc/rfc2999.txt-provides information for the Internet community. -- ../data/rfc/rfc2999.txt-intent of the INFO method is to allow for the carrying of session ../data/rfc/rfc2999.txt-related control information that is generated during a session. ../data/rfc/rfc2999.txt-[STANDARDS TRACK] ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt:2975 Aboba Oct 2000 Introduction to Accounting ../data/rfc/rfc2999.txt- Management ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-This document describes and discusses the issues involved in the design ../data/rfc/rfc2999.txt:of the modern accounting systems. The field of Accounting Management is ../data/rfc/rfc2999.txt-concerned with the collection the collection of resource consumption ../data/rfc/rfc2999.txt-data for the purposes of capacity and trend analysis, cost allocation, ../data/rfc/rfc2999.txt-auditing, and billing. This memo provides information for the Internet ../data/rfc/rfc2999.txt-community. ../data/rfc/rfc2999.txt- -- ../data/rfc/rfc2999.txt-Ginoza Informational [Page 16] ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-RFC 2999 Summary of 2900-2999 August 2001 ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt:2924 Brownlee Sep 2000 Accounting Attributes and ../data/rfc/rfc2999.txt- Record Formats ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-This document summarises Internet Engineering Task Force (IETF) and ../data/rfc/rfc2999.txt-International Telecommunication Union (ITU-T) documents related to ../data/rfc/rfc2999.txt:Accounting. This memo provides information for the Internet community. ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2923 Lahey Sep 2000 TCP Problems with Path MTU ../data/rfc/rfc2999.txt- Discovery ../data/rfc/rfc2999.txt- -- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2906 Farrell Aug 2000 AAA Authorization Requirements ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-This document specifies the requirements that Authentication ../data/rfc/rfc2999.txt:Authorization Accounting (AAA) protocols must meet in order to support ../data/rfc/rfc2999.txt-authorization services in the Internet. This memo provides information ../data/rfc/rfc2999.txt-for the Internet community. ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2905 Vollbrecht Aug 2000 AAA Authorization Application -- ../data/rfc/rfc2999.txt-RFC 2999 Summary of 2900-2999 August 2001 ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt-2903 de Laat Aug 2000 Generic AAA Architecture ../data/rfc/rfc2999.txt- ../data/rfc/rfc2999.txt:This memo proposes an Authentication, Authorization, Accounting (AAA) ../data/rfc/rfc2999.txt-architecture that would incorporate a generic AAA server along with an ../data/rfc/rfc2999.txt-application interface to a set of Application Specific Modules that ../data/rfc/rfc2999.txt-could perform application specific AAA functions. This memo defines an ../data/rfc/rfc2999.txt-Experimental Protocol for the Internet community. ../data/rfc/rfc2999.txt- -- ../data/rfc/rfc5624.txt- ../data/rfc/rfc5624.txt-6. Security Considerations ../data/rfc/rfc5624.txt- ../data/rfc/rfc5624.txt- This document does not raise any security concerns as it only defines ../data/rfc/rfc5624.txt- QoS parameters and does not yet describe how they are exchanged in an ../data/rfc/rfc5624.txt: Authentication, Authorization, and Accounting (AAA) protocol. ../data/rfc/rfc5624.txt- Security considerations are described in documents using this ../data/rfc/rfc5624.txt- specification. ../data/rfc/rfc5624.txt- ../data/rfc/rfc5624.txt-7. Acknowledgements ../data/rfc/rfc5624.txt- -- ../data/rfc/rfc4764.txt- mechanism, EAP-PSK will be able to provide more sophisticated ../data/rfc/rfc4764.txt- services as the need to do so arises. ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt-1.2. Terminology ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt: Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4764.txt- Please refer to [10] for more details. ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt- AES-128 A block cipher specified in the Advanced Encryption ../data/rfc/rfc4764.txt- Standard [7]. ../data/rfc/rfc4764.txt- -- ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt-7.2. Allocation of EXT Type Numbers ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt- EAP-PSK is not intended as a general-purpose protocol, and ../data/rfc/rfc4764.txt- allocations of EXT_Type should not be made for purposes unrelated to ../data/rfc/rfc4764.txt: authentication, authorization, and accounting. ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt- EXT_Type numbers have a range from 1 to 255. ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt- ../data/rfc/rfc4764.txt- -- ../data/rfc/rfc5659.txt- ../data/rfc/rfc5659.txt- o Operations, Administration, and Maintenance (OAM). Note that ../data/rfc/rfc5659.txt- this is synonymous with 'Operations and Maintenance' referred to ../data/rfc/rfc5659.txt- in RFC 5254 [5]. ../data/rfc/rfc5659.txt- ../data/rfc/rfc5659.txt: o Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5659.txt- ../data/rfc/rfc5659.txt- o Security mechanisms ../data/rfc/rfc5659.txt- ../data/rfc/rfc5659.txt- Further security-related architectural considerations are described ../data/rfc/rfc5659.txt- in Section 12. -- ../data/rfc/rfc1498.txt-RFC 1498 On the Naming and Binding of Network Destinations August 1993 ../data/rfc/rfc1498.txt- ../data/rfc/rfc1498.txt- ../data/rfc/rfc1498.txt- 1. Service and Users. These are the functions that one uses, and ../data/rfc/rfc1498.txt- the clients that use them. Examples of services are one that ../data/rfc/rfc1498.txt: tells the time of day, one that performs accounting, or one ../data/rfc/rfc1498.txt- that forwards packets. An example of a client is a particular ../data/rfc/rfc1498.txt- desktop computer. ../data/rfc/rfc1498.txt- ../data/rfc/rfc1498.txt- 2. Nodes. These are computers that can run services or user ../data/rfc/rfc1498.txt- programs. Some nodes are clients of the network, while others -- ../data/rfc/rfc5950.txt- ../data/rfc/rfc5950.txt- provide a data reduction mechanism on the information received across ../data/rfc/rfc5950.txt- the MP Reference Points. ../data/rfc/rfc5950.txt- ../data/rfc/rfc5950.txt- The EMF includes functions such as Date and Time, FCAPS (Fault, ../data/rfc/rfc5950.txt: Configuration, Accounting, Performance, and Security) management, and ../data/rfc/rfc5950.txt- Control Plane functions. The EMF provides event message processing, ../data/rfc/rfc5950.txt- data storage, and logging. The management Agent, a component of the ../data/rfc/rfc5950.txt- EMF, converts internal management information (MI signals) into ../data/rfc/rfc5950.txt- Management Application messages and vice versa. The Agent responds ../data/rfc/rfc5950.txt- to Management Application messages from the Message Communication -- ../data/rfc/rfc2099.txt-The Internet Message Access Protocol, Version 4rev1 (IMAP4rev1) allows a ../data/rfc/rfc2099.txt-client to access and manipulate electronic mail messages on a server. ../data/rfc/rfc2099.txt-[STANDARDS-TRACK] ../data/rfc/rfc2099.txt- ../data/rfc/rfc2099.txt- ../data/rfc/rfc2099.txt:2059 Rigney Jan 97 RADIUS Accounting ../data/rfc/rfc2099.txt- ../data/rfc/rfc2099.txt:This document describes a protocol for carrying accounting information ../data/rfc/rfc2099.txt:between a Network Access Server and a shared Accounting Server. This ../data/rfc/rfc2099.txt-memo provides information for the Internet community. This memo does ../data/rfc/rfc2099.txt-not specify an Internet standard of any kind. ../data/rfc/rfc2099.txt- ../data/rfc/rfc2099.txt- ../data/rfc/rfc2099.txt-2058 Rigney Jan 97 Remote Authentication Dial In User -- ../data/rfc/rfc5431.txt- [RFC4006]. The request is based on the Diameter extensibility ../data/rfc/rfc5431.txt- discussions in the DIME WG that led to the conclusion that it is ../data/rfc/rfc5431.txt- better to define new Command Codes whenever the ABNF of a command is ../data/rfc/rfc5431.txt- modified by adding, removing, or semantically changing a required AVP ../data/rfc/rfc5431.txt- in order to avoid interoperability problems. The document is ../data/rfc/rfc5431.txt: utilizing authorization and accounting functionality, and the entire ../data/rfc/rfc5431.txt- exchange is related to users utilizing applications that require QoS ../data/rfc/rfc5431.txt- treatment. This approach is consistent with the practice and ../data/rfc/rfc5431.txt- experience gained since the publication of [RFC3588] (see for example ../data/rfc/rfc5431.txt- [RFC5224]), which is now under revision by the DIME Working Group who ../data/rfc/rfc5431.txt- will provide a revised set of recommendations and procedures for IANA -- ../data/rfc/rfc5729.txt- get routed several hops before such non-existent realms are ../data/rfc/rfc5729.txt- discovered, thus creating unnecessary overhead to the routing system ../data/rfc/rfc5729.txt- in general. ../data/rfc/rfc5729.txt- ../data/rfc/rfc5729.txt- The NAI decoration is used in Authentication, Authorization, and ../data/rfc/rfc5729.txt: Accounting (AAA) infrastructures where the Diameter messages are ../data/rfc/rfc5729.txt- transported between the NAS and the Diameter server via one or more ../data/rfc/rfc5729.txt- AAA brokers or Diameter proxies. In this case, the NAS to Diameter ../data/rfc/rfc5729.txt- server AAA communication relies on the security properties of the ../data/rfc/rfc5729.txt- intermediate AAA brokers and Diameter proxies. ../data/rfc/rfc5729.txt- -- ../data/rfc/rfc6734.txt- ../data/rfc/rfc6734.txt- Diameter Attribute-Value Pairs for Cryptographic Key Transport ../data/rfc/rfc6734.txt- ../data/rfc/rfc6734.txt-Abstract ../data/rfc/rfc6734.txt- ../data/rfc/rfc6734.txt: Some Authentication, Authorization, and Accounting (AAA) applications ../data/rfc/rfc6734.txt- require the transport of cryptographic keying material. This ../data/rfc/rfc6734.txt- document specifies a set of Attribute-Value Pairs (AVPs) providing ../data/rfc/rfc6734.txt- native Diameter support of cryptographic key delivery. ../data/rfc/rfc6734.txt- ../data/rfc/rfc6734.txt-Status of This Memo -- ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- Some remarks about phsysical and logical multicast follow, and it is ../data/rfc/rfc1671.txt- suggested that a model of how IPng will run over ATM is needed. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- Finally, the paper suggests that the requirements for policy routing, ../data/rfc/rfc1671.txt: accounting, and security firewalls will in turn require all IPng ../data/rfc/rfc1671.txt- packets to carry a trace of the type of transaction involved as well ../data/rfc/rfc1671.txt- as of their source and destination. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt-Transition and deployment ../data/rfc/rfc1671.txt- -- ../data/rfc/rfc1671.txt- basic model works. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- Similar remarks could be made about X.25, Frame Relay, SMDS etc. but ../data/rfc/rfc1671.txt- ATM is the case with the highest management hype ratio today. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt:Policy routing and accounting ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- Unfortunately, this cannot be ignored, however much one would like ../data/rfc/rfc1671.txt- to. Funding agencies want traffic to flow over the lines funded to ../data/rfc/rfc1671.txt- carry it, and they want to know afterwards how much traffic there ../data/rfc/rfc1671.txt: was. Accounting information can also be used for network planning ../data/rfc/rfc1671.txt- and for back-charging. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- It is therefore necessary that IPng and its routing procedures allow ../data/rfc/rfc1671.txt- traffic to be routed in a way that depends on its source and ../data/rfc/rfc1671.txt- destination in detail. (As an example, traffic from the Physics -- ../data/rfc/rfc1671.txt- CERN than traffic from any other department.) ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- A simple approach to this requirement is to insist that IPng must ../data/rfc/rfc1671.txt- support provider-based addressing and routing. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt: Accounting of traffic is required at the same level of detail (or ../data/rfc/rfc1671.txt- more, for example how much of the traffic is ftp and how much is ../data/rfc/rfc1671.txt- www?). ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- -- ../data/rfc/rfc1671.txt- effective firewalls in routers than IPv4. In particular efficient ../data/rfc/rfc1671.txt- traffic barring based on source and destination addresses and types ../data/rfc/rfc1671.txt- of transaction is needed. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt- It seems likely that the same features needed to allow policy routing ../data/rfc/rfc1671.txt: and detailed accounting would be needed for improved firewall ../data/rfc/rfc1671.txt- security. It is outside the scope of this document to discuss these ../data/rfc/rfc1671.txt- features in detail, but it seems unlikely that they are limited to ../data/rfc/rfc1671.txt- implementation details in the border routers. Packets will have to ../data/rfc/rfc1671.txt- carry some authenticated trace of the (source, destination, ../data/rfc/rfc1671.txt- transaction) triplet in order to check for unwanted traffic, to allow ../data/rfc/rfc1671.txt: policy-based source routing, and/or to allow detailed accounting. ../data/rfc/rfc1671.txt- Presumably any IPng will carry source and destination identifiers in ../data/rfc/rfc1671.txt- some format in every packet, but identifying the type of transaction, ../data/rfc/rfc1671.txt- or even the individual transaction, is an extra requirement. ../data/rfc/rfc1671.txt- ../data/rfc/rfc1671.txt-Disclaimer and Acknowledgements -- ../data/rfc/rfc7585.txt- | Service Tag | Use | ../data/rfc/rfc7585.txt- +-----------------+-----------------------------------------+ ../data/rfc/rfc7585.txt- | aaa+auth | RADIUS Authentication, i.e., traffic as | ../data/rfc/rfc7585.txt- | | defined in [RFC2865] | ../data/rfc/rfc7585.txt- | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - | ../data/rfc/rfc7585.txt: | aaa+acct | RADIUS Accounting, i.e., traffic as | ../data/rfc/rfc7585.txt- | | defined in [RFC2866] | ../data/rfc/rfc7585.txt- | - - - - - - - - | - - - - - - - - - - - - - - - - - - - - | ../data/rfc/rfc7585.txt- | aaa+dynauth | RADIUS Dynamic Authorization, i.e., | ../data/rfc/rfc7585.txt- | | traffic as defined in [RFC5176] | ../data/rfc/rfc7585.txt- +-----------------+-----------------------------------------+ -- ../data/rfc/rfc7585.txt- SHOULD be done only when manually configured by an administrator. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt-2.1.1.3.1. Mandatory-to-Implement Mechanism: Trust Roots + NAIRealm ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Verification of authority to provide Authentication, Authorization, ../data/rfc/rfc7585.txt: and Accounting (AAA) services over RADIUS/TLS is a two-step process. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Step 1 is the verification of certificate well-formedness and ../data/rfc/rfc7585.txt- validity as per [RFC5280] and whether it was issued from a root ../data/rfc/rfc7585.txt- certificate that is deemed trustworthy by the RADIUS/TLS client. ../data/rfc/rfc7585.txt- -- ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt-3.1. Applicability ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Dynamic server discovery as defined in this document is only ../data/rfc/rfc7585.txt- applicable for new AAA transactions and per service (i.e., distinct ../data/rfc/rfc7585.txt: discovery is needed for Authentication, Accounting, and Dynamic ../data/rfc/rfc7585.txt- Authorization) where a RADIUS entity that acts as a forwarding server ../data/rfc/rfc7585.txt- for one or more realms receives a request with a realm for which it ../data/rfc/rfc7585.txt- is not authoritative, and which no explicit next hop is configured. ../data/rfc/rfc7585.txt- It is only applicable for ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- a. new user sessions, i.e., for the initial Access-Request. ../data/rfc/rfc7585.txt- Subsequent messages concerning this session, for example, Access- ../data/rfc/rfc7585.txt- Challenges and Access-Accepts, use the previously established ../data/rfc/rfc7585.txt- communication channel between client and server. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt: b. the first accounting ticket for a user session. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- c. the first RADIUS DynAuth packet for a user session. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt-3.2. Configuration Variables ../data/rfc/rfc7585.txt- -- ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt-3.4. Realm to RADIUS Server Resolution Algorithm ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt-3.4.1. Input ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt: For RADIUS Authentication and RADIUS Accounting server discovery, ../data/rfc/rfc7585.txt- input I to the algorithm is the RADIUS User-Name attribute with ../data/rfc/rfc7585.txt- content of the form "user@realm"; the literal "@" sign is the ../data/rfc/rfc7585.txt- separator between a local user identifier within a realm and its ../data/rfc/rfc7585.txt- realm. The use of multiple literal "@" signs in a User-Name is ../data/rfc/rfc7585.txt- strongly discouraged; but if present, the last "@" sign is to be -- ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Assignee: IESG <iesg@ietf.org> ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Contact: IETF Chair <chair@ietf.org> ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt: Description: Authentication, Accounting, and Dynamic Authorization ../data/rfc/rfc7585.txt- via the RADIUS protocol. These service names are used to ../data/rfc/rfc7585.txt- construct the SRV service labels "_radiustls" and "_radiusdtls" ../data/rfc/rfc7585.txt- for discovery of RADIUS/TLS and RADIUS/DTLS servers, respectively. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- Reference: RFC 7585 -- ../data/rfc/rfc7585.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc7585.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc7585.txt- RFC 2865, DOI 10.17487/RFC2865, June 2000, ../data/rfc/rfc7585.txt- <http://www.rfc-editor.org/info/rfc2865>. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc7585.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc7585.txt- <http://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc7585.txt- ../data/rfc/rfc7585.txt- [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application ../data/rfc/rfc7585.txt- Service Location Using SRV RRs and the Dynamic Delegation -- ../data/rfc/rfc1672.txt-Network Working Group N. Brownlee ../data/rfc/rfc1672.txt-Request for Comments: 1672 The University of Auckland ../data/rfc/rfc1672.txt-Category: Informational August 1994 ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: Accounting Requirements for IPng ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Status of this Memo ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- This memo provides information for the Internet community. This memo ../data/rfc/rfc1672.txt- does not specify an Internet standard of any kind. Distribution of -- ../data/rfc/rfc1672.txt- IPng area of any ideas expressed within. Comments should be ../data/rfc/rfc1672.txt- submitted to the big-internet@munnari.oz.au mailing list. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Summary ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: This white paper discusses accounting requirements for IPng. It ../data/rfc/rfc1672.txt: recommends that all IPng packets carry accounting tags, which would ../data/rfc/rfc1672.txt- vary in size. In the simplest case a tag would simply be a voucher ../data/rfc/rfc1672.txt- identifying the party responsible for the packet. At other times tags ../data/rfc/rfc1672.txt: should also carry other higher-level accounting information. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Background ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: The Internet Accounting Model - described in RFC 1272 - specifies how ../data/rfc/rfc1672.txt: accounting information is structured, and how it is collected for use ../data/rfc/rfc1672.txt: by accounting aplications. The model is very general, with ../data/rfc/rfc1672.txt: accounting variables being defined for various layers of a protocol ../data/rfc/rfc1672.txt- stack. The group's work has so far concentrated on the lower layers, ../data/rfc/rfc1672.txt- but the model can be extended simply by defining the variables ../data/rfc/rfc1672.txt- required, e.g., for session and application layers. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- Brian Carpenter [1] suggests that IPng packets should carry ../data/rfc/rfc1672.txt- authenticated (source, destination, transaction) triplets, which ../data/rfc/rfc1672.txt: could be used for policy-based routing and accounting. The following ../data/rfc/rfc1672.txt- sections explain how the transaction field - hereafter called an ../data/rfc/rfc1672.txt: 'accounting tag' - could be used. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt:Lower-layer (Transport) Accounting ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- At the lower (network) layers the tag would simply be a voucher. This ../data/rfc/rfc1672.txt- means it is an arbitrary string which identifies the party ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Brownlee [Page 1] ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt:RFC 1672 Accounting Requirements for IPng August 1994 ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- responsible, i.e., willing to pay for, a packet. It would initially ../data/rfc/rfc1672.txt- be set by the host which originates the packet, hence at that stage ../data/rfc/rfc1672.txt- the tag would identify the user who sent it. -- ../data/rfc/rfc1672.txt- path. For example: ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- user - provider tag identifies user ../data/rfc/rfc1672.txt- provider A - provider B tag identifies provider A ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: The tag could be used by accounting meters to identify the party ../data/rfc/rfc1672.txt- responsible for a traffic flow, without having to deduce this using ../data/rfc/rfc1672.txt: tables of rules. This should considerably simplify accounting for ../data/rfc/rfc1672.txt- transit traffic across intermediate networks. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt:Higher-layer (Session and Application) Accounting ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: At higher layers there is a clear need to measure accounting ../data/rfc/rfc1672.txt- variables and communicate them to various points along a packet's ../data/rfc/rfc1672.txt- path, for example an application server may wish to inform a client ../data/rfc/rfc1672.txt- about its usage of resources. A tag containing this information could ../data/rfc/rfc1672.txt- be read by meters at any point along the packet's path for charging ../data/rfc/rfc1672.txt- purposes, and could also be used by the client to inform the user of ../data/rfc/rfc1672.txt- charges incurred. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt: It would make the collection of accounting data much simpler if this ../data/rfc/rfc1672.txt- information was carried in a standard tag within each packet, rather ../data/rfc/rfc1672.txt- than having different protocols provide this service in differing ../data/rfc/rfc1672.txt- ways. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- For 'old' applications which remain unaware of the tag field, a meter ../data/rfc/rfc1672.txt- could be placed at a gateway for the application's host. This ../data/rfc/rfc1672.txt- 'gateway' meter could determine what the application is by watching ../data/rfc/rfc1672.txt- its streams of packets, then set an appropriate value in thir tag ../data/rfc/rfc1672.txt- fields. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt:Structure of the accounting tag ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- The two uses of tags outlined above must be able to coexist. Since ../data/rfc/rfc1672.txt- many - indeed most - of the packets will only carry a voucher, it ../data/rfc/rfc1672.txt- seems simplest to keep this as part of the routing tuple (see below). ../data/rfc/rfc1672.txt- -- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Brownlee [Page 2] ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt:RFC 1672 Accounting Requirements for IPng August 1994 ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- If the encryption/digital signature overhead of the second tag proves ../data/rfc/rfc1672.txt- to be too high, it should be possible to combine this with the ../data/rfc/rfc1672.txt- voucher. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- The fine detail of this, or at least the way variables are packed ../data/rfc/rfc1672.txt: into the tags, could be standardised by the Accounting Working Group ../data/rfc/rfc1672.txt- in due course. For the purpose of IPng all that is required is the ../data/rfc/rfc1672.txt- ability to carry one or two variable-size objects in every packet. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-References ../data/rfc/rfc1672.txt- -- ../data/rfc/rfc1672.txt- Considerations", RFC 1671, CERN, August 1994. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Security Considerations ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- For IPng to provide reliable transport in a hostile environment, ../data/rfc/rfc1672.txt: routing and accounting information, i.e., the (source, dest, ../data/rfc/rfc1672.txt- network-tag) and (application-tag) tuples, must be tamper-proof. ../data/rfc/rfc1672.txt- Routers and meters which need to use the tuples will need to hold ../data/rfc/rfc1672.txt- appropriate keys for them. Network operators will have to plan ../data/rfc/rfc1672.txt- for this, for example by determining which routers need which ../data/rfc/rfc1672.txt- sets of keys. This will be neccessary in any case for reliable ../data/rfc/rfc1672.txt- policy-based routing, so the extra work required to set up ../data/rfc/rfc1672.txt: accounting meters should be acceptable. ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt-Author's Address ../data/rfc/rfc1672.txt- ../data/rfc/rfc1672.txt- Nevil Brownlee ../data/rfc/rfc1672.txt- Deputy Director -- ../data/rfc/rfc555.txt- require that a user log in to its system with NIC ident and ../data/rfc/rfc555.txt- Id, rather than with host name and password, as it does ../data/rfc/rfc555.txt- currently. ../data/rfc/rfc555.txt- ../data/rfc/rfc555.txt- I emphasize again that Ids have nothing whatsoever to do with ../data/rfc/rfc555.txt: accounting. UCLA-NMC doesn't force the Author to prove his ../data/rfc/rfc555.txt- identity so UCLA has someone to whom it can bill the resources ../data/rfc/rfc555.txt- consumed in processing the Delivery transaction. It does so to ../data/rfc/rfc555.txt- prevent Jim White from authoring a piece of mail and claiming ../data/rfc/rfc555.txt- that Larry Roberts wrote it. ../data/rfc/rfc555.txt- -- ../data/rfc/rfc7268.txt- 7. Acknowledgments ................................................28 ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt-1. Introduction ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- In situations where it is desirable to centrally manage ../data/rfc/rfc7268.txt: authentication, authorization, and accounting (AAA) for IEEE 802 ../data/rfc/rfc7268.txt- [IEEE-802] networks, deployment of a backend authentication and ../data/rfc/rfc7268.txt: accounting server is desirable. In such situations, it is expected ../data/rfc/rfc7268.txt- that IEEE 802 authenticators will function as AAA clients. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) ../data/rfc/rfc7268.txt- Usage Guidelines" [RFC3580] provides guidelines for the use of the ../data/rfc/rfc7268.txt- Remote Authentication Dial-In User Service (RADIUS) within networks -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The Allowed-Called-Station-Id Attribute allows the RADIUS server ../data/rfc/rfc7268.txt- to specify the authenticator MAC addresses and/or networks to ../data/rfc/rfc7268.txt- which the user is allowed to connect. One or more Allowed-Called- ../data/rfc/rfc7268.txt- Station-Id Attributes MAY be included in an Access-Accept, CoA- ../data/rfc/rfc7268.txt: Request, or Accounting-Request packet. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The Allowed-Called-Station-Id Attribute can be useful in ../data/rfc/rfc7268.txt- situations where pre-authentication is supported (e.g., IEEE ../data/rfc/rfc7268.txt- 802.11 pre-authentication). In these scenarios, a Called-Station- ../data/rfc/rfc7268.txt- Id Attribute typically will not be included within the Access- -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The EAP-Peer-Id Attribute contains a Peer-Id generated by the EAP ../data/rfc/rfc7268.txt- method. Exactly how this name is used depends on the link layer ../data/rfc/rfc7268.txt- in question. See [RFC5247] for more discussion. The EAP-Peer-Id ../data/rfc/rfc7268.txt- Attribute MAY be included in Access-Request, Access-Accept, and ../data/rfc/rfc7268.txt: Accounting-Request packets. More than one EAP-Peer-Id Attribute ../data/rfc/rfc7268.txt- MUST NOT be included in an Access-Request; one or more EAP-Peer-Id ../data/rfc/rfc7268.txt- Attributes MAY be included in an Access-Accept. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The EAP-Server-Id Attribute contains a Server-Id generated by the ../data/rfc/rfc7268.txt- EAP method. Exactly how this name is used depends on the link ../data/rfc/rfc7268.txt- layer in question. See [RFC5247] for more discussion. The EAP- ../data/rfc/rfc7268.txt- Server-Id Attribute is only allowed in Access-Request, Access- ../data/rfc/rfc7268.txt: Accept, and Accounting-Request packets. More than one EAP-Server- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt-Aboba, et al. Standards Track [Page 8] ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt-2.5. Mobility-Domain-Id ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- Description ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A single Mobility-Domain-Id Attribute MAY be included in an ../data/rfc/rfc7268.txt: Access-Request or Accounting-Request in order to enable the NAS to ../data/rfc/rfc7268.txt- provide the RADIUS server with the Mobility Domain Identifier ../data/rfc/rfc7268.txt- (MDID), defined in Section 8.4.2.49 of [IEEE-802.11]. A summary ../data/rfc/rfc7268.txt- of the Mobility-Domain-Id Attribute format is shown below. The ../data/rfc/rfc7268.txt- fields are transmitted from left to right. ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt-RFC 7268 RADIUS Attributes for IEEE 802 July 2014 ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- Zero or one Network-Id-Name Attribute is permitted within an ../data/rfc/rfc7268.txt: Access-Request, Access-Challenge, Access-Accept or Accounting- ../data/rfc/rfc7268.txt- Request packet. When included within an Access-Request packet, ../data/rfc/rfc7268.txt- the Network-Id-Name Attribute represents a hint of the NID-Name to ../data/rfc/rfc7268.txt- which the Supplicant should be granted access. When included ../data/rfc/rfc7268.txt- within an Access-Accept packet, the Network-Id-Name Attribute ../data/rfc/rfc7268.txt- represents the NID-Name to which the Supplicant is to be granted ../data/rfc/rfc7268.txt: access. When included within an Accounting-Request packet, the ../data/rfc/rfc7268.txt- Network-Id-Name Attribute represents the NID-Name to which the ../data/rfc/rfc7268.txt- Supplicant has been granted access. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the Network-Id-Name Attribute format is shown below. ../data/rfc/rfc7268.txt- The fields are transmitted from left to right. -- ../data/rfc/rfc7268.txt- [IEEE-802.1X]. The acronym "EAPoL" stands for Extensible ../data/rfc/rfc7268.txt- Authentication Protocol over Local Area Network. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- Zero or more EAPoL-Announcement Attributes are permitted within an ../data/rfc/rfc7268.txt- Access-Request, Access-Accept, Access-Challenge, Access-Reject, ../data/rfc/rfc7268.txt: Accounting-Request, CoA-Request, or Disconnect-Request packet. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt- Attributes contain EAPoL-Announcement TLVs that the user sent in ../data/rfc/rfc7268.txt- an EAPoL-Announcement. When included within an Access-Accept, ../data/rfc/rfc7268.txt- Access-Challenge, Access-Reject, CoA-Request or Disconnect-Request ../data/rfc/rfc7268.txt- packet, EAPoL-Announcement Attributes contain EAPoL-Announcement ../data/rfc/rfc7268.txt- TLVs that the NAS is to send to the user in a unicast EAPoL- ../data/rfc/rfc7268.txt: Announcement. When sent within an Accounting-Request packet, ../data/rfc/rfc7268.txt- EAPoL-Announcement Attributes contain EAPoL-Announcement TLVs that ../data/rfc/rfc7268.txt- the NAS has most recently sent to the user in a unicast EAPoL- ../data/rfc/rfc7268.txt- Announcement. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the EAPoL-Announcement Attribute format is shown -- ../data/rfc/rfc7268.txt- unique identifier that, in conjunction with the SSID, encoded ../data/rfc/rfc7268.txt- within the Called-Station-Id Attribute as described in [RFC3580], ../data/rfc/rfc7268.txt- may be used to provide network identification for a subscription ../data/rfc/rfc7268.txt- service provider network (SSPN), as described in Section 8.4.2.94 ../data/rfc/rfc7268.txt- of [IEEE-802.11]. Zero or one WLAN-HESSID Attribute is permitted ../data/rfc/rfc7268.txt: within an Access-Request or Accounting-Request packet. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-HESSID Attribute format is shown below. The ../data/rfc/rfc7268.txt- fields are transmitted from left to right. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- 0 1 2 3 -- ../data/rfc/rfc7268.txt- Description ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-Venue-Info Attribute identifies the category of venue ../data/rfc/rfc7268.txt- hosting the WLAN, as defined in Section 8.4.1.34 of [IEEE-802.11]. ../data/rfc/rfc7268.txt- Zero or more WLAN-Venue-Info Attributes may be included in an ../data/rfc/rfc7268.txt: Access-Request or Accounting-Request. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt- Description ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-Venue-Language Attribute is a string encoded by ../data/rfc/rfc7268.txt- ISO-14962-1997 [ISO-14962-1997] that defines the language used in ../data/rfc/rfc7268.txt- the WLAN-Venue-Name Attribute. Zero or more WLAN-Venue-Language ../data/rfc/rfc7268.txt: Attributes may be included in an Access-Request or Accounting- ../data/rfc/rfc7268.txt- Request, and each one indicates the language of the WLAN-Venue- ../data/rfc/rfc7268.txt- Name Attribute that follows it. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-Venue-Language Attribute format is shown ../data/rfc/rfc7268.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-Venue-Name Attribute provides additional metadata on the ../data/rfc/rfc7268.txt- Basic Service Set (BSS). For example, this information may be ../data/rfc/rfc7268.txt- used to assist a user in selecting the appropriate BSS with which ../data/rfc/rfc7268.txt- to associate. Zero or more WLAN-Venue-Name Attributes may be ../data/rfc/rfc7268.txt: included in an Access- Request or Accounting-Request in the same ../data/rfc/rfc7268.txt- or different languages. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-Venue-Name Attribute format is shown below. ../data/rfc/rfc7268.txt- The fields are transmitted from left to right. ../data/rfc/rfc7268.txt- -- ../data/rfc/rfc7268.txt- disassociated or de-authenticated. This can occur due to policy ../data/rfc/rfc7268.txt- or for reasons related to the user's subscription. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A WLAN-Reason-Code Attribute MAY be included within an Access- ../data/rfc/rfc7268.txt- Reject or Disconnect-Request packet, as well as within an ../data/rfc/rfc7268.txt: Accounting-Request packet. Upon receipt of an Access-Reject or ../data/rfc/rfc7268.txt- Disconnect-Request packet containing a WLAN-Reason-Code Attribute, ../data/rfc/rfc7268.txt- the WLAN-Reason-Code value is copied by the Access Point into the ../data/rfc/rfc7268.txt- Reason Code field of a Disassociation or Deauthentication frame ../data/rfc/rfc7268.txt- (see Clauses 8.3.3.4 and 8.3.3.12, respectively, in ../data/rfc/rfc7268.txt- [IEEE-802.11]), which is subsequently transmitted to the Station. -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-Pairwise-Cipher Attribute contains information on the ../data/rfc/rfc7268.txt- pairwise ciphersuite used to establish the robust security network ../data/rfc/rfc7268.txt- association (RSNA) between the AP and mobile device. A WLAN- ../data/rfc/rfc7268.txt- Pairwise-Cipher Attribute MAY be included within Access-Request ../data/rfc/rfc7268.txt: and Accounting-Request packets. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-Pairwise-Cipher Attribute format is shown ../data/rfc/rfc7268.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- 0 1 2 3 -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-Group-Cipher Attribute contains information on the group ../data/rfc/rfc7268.txt- ciphersuite used to establish the robust security network ../data/rfc/rfc7268.txt- association (RSNA) between the AP and mobile device. A WLAN- ../data/rfc/rfc7268.txt- Group-Cipher Attribute MAY be included within Access-Request and ../data/rfc/rfc7268.txt: Accounting-Request packets. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-Group-Cipher Attribute format is shown ../data/rfc/rfc7268.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- 0 1 2 3 -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-AKM-Suite Attribute contains information on the ../data/rfc/rfc7268.txt- authentication and key management suite used to establish the ../data/rfc/rfc7268.txt- robust security network association (RSNA) between the AP and ../data/rfc/rfc7268.txt- mobile device. A WLAN-AKM-Suite Attribute MAY be included within ../data/rfc/rfc7268.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-AKM-Suite Attribute format is shown below. ../data/rfc/rfc7268.txt- The fields are transmitted from left to right. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- 0 1 2 3 -- ../data/rfc/rfc7268.txt- The WLAN-Group-Mgmt-Cipher Attribute contains information on the ../data/rfc/rfc7268.txt- group management cipher used to establish the robust security ../data/rfc/rfc7268.txt- network association (RSNA) between the AP and mobile device. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- Zero or one WLAN-Group-Mgmt-Cipher Attribute MAY be included ../data/rfc/rfc7268.txt: within Access-Request and Accounting-Request packets. The ../data/rfc/rfc7268.txt- presence of the Attribute indicates that the Station negotiated to ../data/rfc/rfc7268.txt- use management frame protection during association. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-Group-Mgmt-Cipher Attribute format is shown ../data/rfc/rfc7268.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- The WLAN-RF-Band Attribute contains information on the radio ../data/rfc/rfc7268.txt- frequency (RF) band used by the Access Point for transmission and ../data/rfc/rfc7268.txt- reception of information to and from the mobile device. Zero or ../data/rfc/rfc7268.txt- one WLAN-RF-Band Attribute MAY be included within an Access- ../data/rfc/rfc7268.txt: Request or Accounting-Request packet. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- A summary of the WLAN-RF-Band Attribute format is shown below. ../data/rfc/rfc7268.txt- The fields are transmitted from left to right. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- 0 1 2 3 -- ../data/rfc/rfc7268.txt- 802, no registries are established for maintenance by the IANA. ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt-5. Security Considerations ../data/rfc/rfc7268.txt- ../data/rfc/rfc7268.txt- Since this document describes the use of RADIUS for purposes of ../data/rfc/rfc7268.txt: authentication, authorization, and accounting in IEEE 802 networks, ../data/rfc/rfc7268.txt- it is vulnerable to all of the threats that are present in other ../data/rfc/rfc7268.txt- RADIUS applications. For a discussion of these threats, see ../data/rfc/rfc7268.txt- [RFC2607], [RFC2865], [RFC3162], [RFC3579], [RFC3580], and [RFC5176]. ../data/rfc/rfc7268.txt- In particular, when RADIUS traffic is sent in the clear, the ../data/rfc/rfc7268.txt- attributes defined in this document can be obtained by an attacker -- ../data/rfc/rfc4740.txt- 8.9. Registration-Termination-Request (RTR) Command ............39 ../data/rfc/rfc4740.txt- 8.10. Registration-Termination-Answer (RTA) Command ............39 ../data/rfc/rfc4740.txt- 8.11. Push-Profile-Request (PPR) Command .......................41 ../data/rfc/rfc4740.txt- 8.12. Push-Profile-Answer (PPA) Command ........................42 ../data/rfc/rfc4740.txt- 9. Diameter SIP Application AVPs ..................................44 ../data/rfc/rfc4740.txt: 9.1. SIP-Accounting-Information AVP ............................46 ../data/rfc/rfc4740.txt: 9.1.1. SIP-Accounting-Server-URI AVP ......................47 ../data/rfc/rfc4740.txt- 9.1.2. SIP-Credit-Control-Server-URI AVP ..................47 ../data/rfc/rfc4740.txt- 9.2. SIP-Server-URI AVP ........................................47 ../data/rfc/rfc4740.txt- 9.3. SIP-Server-Capabilities AVP ...............................47 ../data/rfc/rfc4740.txt- 9.3.1. SIP-Mandatory-Capability AVP .......................48 ../data/rfc/rfc4740.txt- 9.3.2. SIP-Optional-Capability AVP ........................48 -- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- We assume that the SIP server (such as SIP proxy server, registrar, ../data/rfc/rfc4740.txt- redirect server, or alike) and the Diameter client are co-located in ../data/rfc/rfc4740.txt- the same node, so that the SIP server is able to receive and process ../data/rfc/rfc4740.txt- SIP requests and responses. In turn, the SIP server relies on the ../data/rfc/rfc4740.txt: Authentication, Authorization, and Accounting (AAA) infrastructure ../data/rfc/rfc4740.txt- for authenticating the SIP request and authorizing the usage of ../data/rfc/rfc4740.txt- particular SIP services. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- This document provides Diameter procedures to implement certain ../data/rfc/rfc4740.txt- required functionality when SIP is the protocol chosen to initiate -- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- In another configuration, the address of a SIP outbound proxy is ../data/rfc/rfc4740.txt- configured (by means outside the scope of this specification) into ../data/rfc/rfc4740.txt- the SIP User Agent. The outbound Diameter client in the SIP outbound ../data/rfc/rfc4740.txt- proxy node authenticates the user, requests authorization for SIP ../data/rfc/rfc4740.txt: requests, and performs accounting activities. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt-6. Overview of Operation ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- This section provides an informative description of how the Diameter ../data/rfc/rfc4740.txt- SIP application can be used together with SIP. This section is not -- ../data/rfc/rfc4740.txt- mechanism mandated by SIP [RFC3261]. The application is extensible ../data/rfc/rfc4740.txt- and, if need arises, it can be extended to provide support for other ../data/rfc/rfc4740.txt- authentication mechanisms or extensions to HTTP Digest authentication ../data/rfc/rfc4740.txt- when they occur. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: This application provides limited support for accounting services as ../data/rfc/rfc4740.txt- follows: the Diameter server is able to provide the addresses of ../data/rfc/rfc4740.txt: accounting severs to the Diameter client. Figure 1, below, shows a ../data/rfc/rfc4740.txt- general overview of the integration of the SIP architecture with the ../data/rfc/rfc4740.txt- AAA architecture. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- According to Figure 1, there are one or more SIP User Agents (UAs) ../data/rfc/rfc4740.txt- that initiate or terminate SIP traffic through one or more SIP -- ../data/rfc/rfc4740.txt- { Result-Code } ../data/rfc/rfc4740.txt- { Auth-Session-State } ../data/rfc/rfc4740.txt- { Origin-Host } ../data/rfc/rfc4740.txt- { Origin-Realm } ../data/rfc/rfc4740.txt- * [ SIP-User-Data ] ../data/rfc/rfc4740.txt: [ SIP-Accounting-Information ] ../data/rfc/rfc4740.txt- * [ SIP-Supported-User-Data-Type ] ../data/rfc/rfc4740.txt- [ User-Name ] ../data/rfc/rfc4740.txt- [ Auth-Grace-Period ] ../data/rfc/rfc4740.txt- [ Authorization-Lifetime ] ../data/rfc/rfc4740.txt- [ Redirect-Host ] -- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- The Push-Profile-Request (PPR) command is indicated by the ../data/rfc/rfc4740.txt- Command-Code set to 288 and the Command Flags' 'R' bit set. The ../data/rfc/rfc4740.txt- Diameter server sends this command to the Diameter client in a SIP ../data/rfc/rfc4740.txt- server to update either the user profile of an already registered ../data/rfc/rfc4740.txt: user in that SIP server or the SIP accounting information. This ../data/rfc/rfc4740.txt- allows an operator to modify the data of a user profile or the ../data/rfc/rfc4740.txt: accounting information and push it to the SIP server where the user ../data/rfc/rfc4740.txt- is registered. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- Each user has a user profile associated with him/her and other ../data/rfc/rfc4740.txt: accounting information. The profile or the accounting information ../data/rfc/rfc4740.txt- may change with time, e.g., due to addition of new services to the ../data/rfc/rfc4740.txt: user. When the user profile or the accounting information changes, ../data/rfc/rfc4740.txt- the Diameter server sends a Diameter Push-Profile-Request (PPR) ../data/rfc/rfc4740.txt- command to the Diameter client in a SIP server, in order to start ../data/rfc/rfc4740.txt- applying those new services. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: A PPR command MAY contain a SIP-Accounting-Information AVP that ../data/rfc/rfc4740.txt: updates the addresses of the accounting servers. Changes in the ../data/rfc/rfc4740.txt: addresses of the accounting servers take effect immediately. The ../data/rfc/rfc4740.txt: Diameter client SHOULD close any existing accounting session with the ../data/rfc/rfc4740.txt: existing server and start providing accounting information to the ../data/rfc/rfc4740.txt: newly acquired accounting server. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt-Garcia-Martin, et al. Standards Track [Page 41] ../data/rfc/rfc4740.txt- -- ../data/rfc/rfc4740.txt- { Origin-Host } ../data/rfc/rfc4740.txt- { Origin-Realm } ../data/rfc/rfc4740.txt- { Destination-Realm } ../data/rfc/rfc4740.txt- { User-Name } ../data/rfc/rfc4740.txt- * [ SIP-User-Data ] ../data/rfc/rfc4740.txt: [ SIP-Accounting-Information ] ../data/rfc/rfc4740.txt- [ Destination-Host ] ../data/rfc/rfc4740.txt- [ Authorization-Lifetime ] ../data/rfc/rfc4740.txt- [ Auth-Grace-Period ] ../data/rfc/rfc4740.txt- * [ Proxy-Info ] ../data/rfc/rfc4740.txt- * [ Route-Record ] -- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- +-----------------------------------+------+----------------+-------+ ../data/rfc/rfc4740.txt- | Attribute Name | AVP | Reference | Data- | ../data/rfc/rfc4740.txt- | | Code | | Type | ../data/rfc/rfc4740.txt- +-----------------------------------+------+----------------+-------+ ../data/rfc/rfc4740.txt: | SIP-Accounting-Information | 368 | Section 9.1 | G | ../data/rfc/rfc4740.txt: | SIP-Accounting-Server-URI | 369 | Section 9.1.1 | DURI | ../data/rfc/rfc4740.txt- | SIP-Credit-Control-Server-URI | 370 | Section 9.1.2 | DURI | ../data/rfc/rfc4740.txt- | SIP-Server-URI | 371 | Section 9.2 | UTF8S | ../data/rfc/rfc4740.txt- | SIP-Server-Capabilities | 372 | Section 9.3 | G | ../data/rfc/rfc4740.txt- | SIP-Mandatory-Capability | 373 | Section 9.3.1 | U32 | ../data/rfc/rfc4740.txt- | SIP-Optional-Capability | 374 | Section 9.3.2 | U32 | -- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- +----------------------------------+------+-----+-----+------+------+ ../data/rfc/rfc4740.txt- | Attribute Name | MUST | MAY | SHD | MUST | Encr | ../data/rfc/rfc4740.txt- | | | | NOT | NOT | | ../data/rfc/rfc4740.txt- +----------------------------------+------+-----+-----+------+------+ ../data/rfc/rfc4740.txt: | SIP-Accounting-Information | M | P | | V | N | ../data/rfc/rfc4740.txt: | SIP-Accounting-Server-URI | M | P | | V | N | ../data/rfc/rfc4740.txt- | SIP-Credit-Control-Server-URI | M | P | | V | N | ../data/rfc/rfc4740.txt- | SIP-Server-URI | M | P | | V | N | ../data/rfc/rfc4740.txt- | SIP-Server-Capabilities | M | P | | V | N | ../data/rfc/rfc4740.txt- | SIP-Mandatory-Capability | M | P | | V | N | ../data/rfc/rfc4740.txt- | SIP-Optional-Capability | M | P | | V | N | -- ../data/rfc/rfc4740.txt- | SIP-Method | M | P | | V | N | ../data/rfc/rfc4740.txt- +----------------------------------+------+-----+-----+------+------+ ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- Table 3: Summary of the new AVPs flags ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt:9.1. SIP-Accounting-Information AVP ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: The SIP-Accounting-Information (AVP Code 368) is of type Grouped, and ../data/rfc/rfc4740.txt- contains the Diameter addresses of those nodes that are able to ../data/rfc/rfc4740.txt: collect accounting information. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: The SIP-Accounting-Information AVP is defined as follows (per the ../data/rfc/rfc4740.txt- grouped-avp-def of RFC 3588 [RFC3588]): ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: SIP-Accounting-Information ::= < AVP Header: 368 > ../data/rfc/rfc4740.txt: * [ SIP-Accounting-Server-URI ] ../data/rfc/rfc4740.txt- * [ SIP-Credit-Control-Server-URI ] ../data/rfc/rfc4740.txt- * [ AVP] ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- -- ../data/rfc/rfc4740.txt-Garcia-Martin, et al. Standards Track [Page 46] ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt-RFC 4740 Diameter SIP Application November 2006 ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt:9.1.1. SIP-Accounting-Server-URI AVP ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt: The SIP-Accounting-Server-URI AVP (AVP Code 369) is of type ../data/rfc/rfc4740.txt- DiameterURI. This AVP contains the address of a Diameter server that ../data/rfc/rfc4740.txt: is able to receive SIP-session-related accounting information. ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt-9.1.2. SIP-Credit-Control-Server-URI AVP ../data/rfc/rfc4740.txt- ../data/rfc/rfc4740.txt- The SIP-Credit-Control-Server-URI AVP (AVP Code 370) is of type ../data/rfc/rfc4740.txt- DiameterURI. This AVP contains the address of a Diameter server that -- ../data/rfc/rfc1789.txt- Section 4); ../data/rfc/rfc1789.txt- ../data/rfc/rfc1789.txt- (i) Handle exceptional conditions, such as long delay or drop of ../data/rfc/rfc1789.txt- voice packets; ../data/rfc/rfc1789.txt- ../data/rfc/rfc1789.txt: (j) Monitor quality of service and keep accounting information. ../data/rfc/rfc1789.txt- ../data/rfc/rfc1789.txt- The above listed functions represent probably the minimal ../data/rfc/rfc1789.txt- requirements for each INETPhone server. Some further important ../data/rfc/rfc1789.txt- features, such as compression/decompression, security, multicasting, ../data/rfc/rfc1789.txt- and voice mail need also to be considered when a real service of -- ../data/rfc/rfc6342.txt- or in the Visited Network. ../data/rfc/rfc6342.txt- ../data/rfc/rfc6342.txt- o The Mobile Network Gateway (MNG): The MNG is the MN's default ../data/rfc/rfc6342.txt- router, which provides IP address management. The MNG performs ../data/rfc/rfc6342.txt- functions such as offering Quality of Service (QoS), applying ../data/rfc/rfc6342.txt: subscriber-specific policy, and enabling billing and accounting; ../data/rfc/rfc6342.txt- these functions are sometimes collectively referred to as ../data/rfc/rfc6342.txt- "subscriber-management" operations. The mobile network ../data/rfc/rfc6342.txt- architecture, as shown in Figure 1, defines the necessary protocol ../data/rfc/rfc6342.txt- interfaces to enable subscriber-management operations. The MNG is ../data/rfc/rfc6342.txt- typically located in the Home Network. ../data/rfc/rfc6342.txt- ../data/rfc/rfc6342.txt- o Border Router (BR): As the name implies, a BR borders the Internet ../data/rfc/rfc6342.txt- for the mobile network. The BR does not perform subscriber ../data/rfc/rfc6342.txt- management for the mobile network. ../data/rfc/rfc6342.txt- ../data/rfc/rfc6342.txt: o Authentication, Authorization, and Accounting (AAA): The general ../data/rfc/rfc6342.txt- functionality of AAA is used for subscriber authentication and ../data/rfc/rfc6342.txt- authorization for services as well as for generating billing and ../data/rfc/rfc6342.txt: accounting information. ../data/rfc/rfc6342.txt- ../data/rfc/rfc6342.txt- In 3GPP network environments, the subscriber authentication and ../data/rfc/rfc6342.txt- the subsequent authorization for connectivity and services is ../data/rfc/rfc6342.txt- provided using the "Home Location Register" (HLR) / "Home ../data/rfc/rfc6342.txt- Subscriber Server" (HSS) functionality. -- ../data/rfc/rfc6342.txt- functionality becomes important. ../data/rfc/rfc6342.txt- ../data/rfc/rfc6342.txt- In addition to the developments cited above, NAT placement is ../data/rfc/rfc6342.txt- important for other reasons as well. Access networks generally need ../data/rfc/rfc6342.txt- to produce network and service usage records for billing and ../data/rfc/rfc6342.txt: accounting. This is true also for mobile networks where "subscriber ../data/rfc/rfc6342.txt: management" features (i.e., QoS, Policy, and Billing and Accounting) ../data/rfc/rfc6342.txt- can be fairly detailed. Since a NAT introduces a binding between two ../data/rfc/rfc6342.txt- addresses, the bindings themselves become necessary information for ../data/rfc/rfc6342.txt- subscriber management. For instance, the offered QoS on private IPv4 ../data/rfc/rfc6342.txt- address and the (shared) public IPv4 address may need to be ../data/rfc/rfc6342.txt: correlated for accounting purposes. As another example, the ../data/rfc/rfc6342.txt- Application Servers within the provider network may need to treat ../data/rfc/rfc6342.txt- traffic based on policy provided by the PCRF. If the IP address seen ../data/rfc/rfc6342.txt- by these Application Servers is not unique, the PCRF needs to be able ../data/rfc/rfc6342.txt- to inspect the NAT binding to disambiguate among the individual MNs. ../data/rfc/rfc6342.txt- The subscriber session management information and the service usage -- ../data/rfc/rfc2050.txt- based on administrative convenience. ../data/rfc/rfc2050.txt- ../data/rfc/rfc2050.txt-3.3 Previous Assignment History ../data/rfc/rfc2050.txt- ../data/rfc/rfc2050.txt- To promote increased usage of address space, the registries will ../data/rfc/rfc2050.txt: require an accounting of address space previously assigned to the ../data/rfc/rfc2050.txt- enterprise, if any. In the context of address space allocation, an ../data/rfc/rfc2050.txt- "enterprise" consists of all divisions and/or subsidiaries falling ../data/rfc/rfc2050.txt- under a common parent organization. The previous assignment history ../data/rfc/rfc2050.txt- should include all network numbers assigned to the organization, plus ../data/rfc/rfc2050.txt- the network masks for those networks and the number of hosts on each -- ../data/rfc/rfc7833.txt- named using a Network Access Identifier (NAI) name identifier format. ../data/rfc/rfc7833.txt- Finally, the subject confirmation methods allow requests and queries ../data/rfc/rfc7833.txt- to be issued for a previously authenticated user or machine without ../data/rfc/rfc7833.txt- needing to explicitly identify them as the subject. The use of the ../data/rfc/rfc7833.txt- artifacts defined in this document is not exclusive to ABFAB. They ../data/rfc/rfc7833.txt: can be applied in any Authentication, Authorization, and Accounting ../data/rfc/rfc7833.txt- (AAA) scenario, such as network access control. ../data/rfc/rfc7833.txt- ../data/rfc/rfc7833.txt-Status of This Memo ../data/rfc/rfc7833.txt- ../data/rfc/rfc7833.txt- This is an Internet Standards Track document. -- ../data/rfc/rfc7833.txt- as bindings [OASIS.saml-bindings-2.0-os], which are primarily ../data/rfc/rfc7833.txt- intended for use with the SAML V2.0 web browser single sign-on ../data/rfc/rfc7833.txt- profile [OASIS.saml-profiles-2.0-os]. However, the goal of ABFAB is ../data/rfc/rfc7833.txt- to extend the applicability of federated identity beyond the web to ../data/rfc/rfc7833.txt- other applications by building on the Authentication, Authorization, ../data/rfc/rfc7833.txt: and Accounting (AAA) framework. Consequently, there exists a ../data/rfc/rfc7833.txt- requirement for SAML to integrate with the AAA framework and with ../data/rfc/rfc7833.txt- protocols such as RADIUS [RFC2865] and Diameter [RFC6733], in ../data/rfc/rfc7833.txt- addition to HTTP. ../data/rfc/rfc7833.txt- ../data/rfc/rfc7833.txt- -- ../data/rfc/rfc3251.txt- model, in which the lamps and the distribution network use a ../data/rfc/rfc3251.txt- single control plane. ../data/rfc/rfc3251.txt- 5. RSVP-TE (RSVP with Tariff Extensions) will be used for ../data/rfc/rfc3251.txt- establishing paths for electricity flow in a de-regulated ../data/rfc/rfc3251.txt- environment. ../data/rfc/rfc3251.txt: 6. COPS will be used to support accounting and policy. ../data/rfc/rfc3251.txt- ../data/rfc/rfc3251.txt- After jotting these points down, we felt better. We then noted the ../data/rfc/rfc3251.txt- following immediate advantages of the proposed scheme: ../data/rfc/rfc3251.txt- ../data/rfc/rfc3251.txt- 1. Switches and transformers in the LDS can be replaced by LSRs, -- ../data/rfc/rfc3726.txt- avoids profiling of entities by adversary eavesdropping the signaling ../data/rfc/rfc3726.txt- traffic along the path. The identity used in the process of ../data/rfc/rfc3726.txt- authentication may also be hidden to a limited extent from a network ../data/rfc/rfc3726.txt- to which the initiator is attached. However the identity MUST ../data/rfc/rfc3726.txt- provide enough information for the nodes in the access network to ../data/rfc/rfc3726.txt: collect accounting data. ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- Network topology hiding MAY be supported to prevent entities along ../data/rfc/rfc3726.txt- the path to learn the topology of a network. Supporting this ../data/rfc/rfc3726.txt- property might conflict with a diagnostic capability. ../data/rfc/rfc3726.txt- -- ../data/rfc/rfc3726.txt- 3) Authorization: It is critical that the NSIS Initiator is ../data/rfc/rfc3726.txt- authorized to perform a QoS path setup. ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- 4) Accountability: It is important to notice that signaling might be ../data/rfc/rfc3726.txt- used as an entity to charge money for, therefore the ../data/rfc/rfc3726.txt: interoperation with accounting needs to be available. ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt-8.8. QoS Signaling Between PSTN Gateways and Backbone Routers ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- A PSTN gateway (i.e., host) requires information from the network ../data/rfc/rfc3726.txt- regarding its ability to transport voice traffic across the network. -- ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- aggregate to which the flow must be admitted. In this case, the ../data/rfc/rfc3726.txt- operation of admission control is very similar to the case of the ../data/rfc/rfc3726.txt- PSTN GW with the additional level of indirection imposed by the VPN ../data/rfc/rfc3726.txt: tunnel. Therefore, authentication, accounting and policing may be ../data/rfc/rfc3726.txt- required on the PE router. ../data/rfc/rfc3726.txt- ../data/rfc/rfc3726.txt- In the case of per site signaling, a site would need to be ../data/rfc/rfc3726.txt- identified. This may be accomplished by specifying the network ../data/rfc/rfc3726.txt- serviced at that site through an IP prefix. In this case, the -- ../data/rfc/rfc2722.txt- administering the tariff), incentives (e.g. encouraging off-peak ../data/rfc/rfc2722.txt- use), and cost recovery goals (100% recovery, subsidisation, profit ../data/rfc/rfc2722.txt- making). Issues such as these are not covered here. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- Background information explaining why this approach was selected is ../data/rfc/rfc2722.txt: provided by the 'Internet Accounting Background' RFC [ACT-BKG]. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- -- ../data/rfc/rfc2722.txt- tool for measuring and understanding the network's traffic flows. ../data/rfc/rfc2722.txt- This information is useful for many purposes, as mentioned in section ../data/rfc/rfc2722.txt- 1 (above). ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- The following sections outline a model for traffic flow measurement, ../data/rfc/rfc2722.txt: which draws from working drafts of the OSI accounting model [OSI- ../data/rfc/rfc2722.txt- ACT]. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt-2.1 Meters and Traffic Flows ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- At the heart of the traffic measurement model are network entities -- ../data/rfc/rfc2722.txt- address (e.g. an IP port number), any combination of the above, etc, ../data/rfc/rfc2722.txt- depending on the meter's configuration. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- We assume that routers or traffic monitors throughout a network are ../data/rfc/rfc2722.txt- instrumented with meters to measure traffic. Issues surrounding the ../data/rfc/rfc2722.txt: choice of meter placement are discussed in the 'Internet Accounting ../data/rfc/rfc2722.txt- Background' RFC [ACT-BKG]. An important aspect of meters is that they ../data/rfc/rfc2722.txt- provide a way of succinctly aggregating traffic information. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- For the purpose of traffic flow measurement we define the concept of ../data/rfc/rfc2722.txt- a TRAFFIC FLOW, which is like an artificial logical equivalent to a -- ../data/rfc/rfc2722.txt- notion of ports. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- Reporting by adjacent intermediate sources and destinations or simply ../data/rfc/rfc2722.txt- by meter interface (most useful when the meter is embedded in a ../data/rfc/rfc2722.txt- router) supports hierarchical Internet reporting schemes as described ../data/rfc/rfc2722.txt: in the 'Internet Accounting Background' RFC [ACT-BKG]. That is, it ../data/rfc/rfc2722.txt- allows backbone and regional networks to measure usage to just the ../data/rfc/rfc2722.txt- next lower level of granularity (i.e. to the regional and ../data/rfc/rfc2722.txt- stub/enterprise levels, respectively), with the final breakdown ../data/rfc/rfc2722.txt- according to end user (e.g. to source IP address) performed by the ../data/rfc/rfc2722.txt- stub/enterprise networks. -- ../data/rfc/rfc2722.txt- security risks and their countermeasures. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt-10 Acknowledgments ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- An initial draft of this document was produced under the auspices ../data/rfc/rfc2722.txt: of the IETF's Internet Accounting Working Group with assistance ../data/rfc/rfc2722.txt- from SNMP, RMON and SAAG working groups. Particular thanks are ../data/rfc/rfc2722.txt- due to Stephen Stibler (IBM Research) for his patient and careful ../data/rfc/rfc2722.txt- comments during the preparation of this memo. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- -- ../data/rfc/rfc2722.txt- Local Area Networks - Part 3: Carrier sense multiple ../data/rfc/rfc2722.txt- access with collision detection (CSMA/CD) access method ../data/rfc/rfc2722.txt- and physical layer specifications, 2nd edition, September ../data/rfc/rfc2722.txt- 21, 1990. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt: [ACT-BKG] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2722.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc2722.txt- ../data/rfc/rfc2722.txt- [IANA-RFC] Alvestrand, H. and T. Narten, "Guidelines for Writing an ../data/rfc/rfc2722.txt- IANA Considerations Section in RFCs", BCP 26, RFC 2434, ../data/rfc/rfc2722.txt- October 1998. -- ../data/rfc/rfc7340.txt- the P-Asserted-Identity header evolved as part of a broader effort to ../data/rfc/rfc7340.txt- reach parity with traditional telephone network signaling mechanisms ../data/rfc/rfc7340.txt- for selectively sharing and restricting presentation of the calling ../data/rfc/rfc7340.txt- party number at the user level while still allowing core network ../data/rfc/rfc7340.txt- elements to know the identity of the user for abuse prevention and ../data/rfc/rfc7340.txt: accounting. ../data/rfc/rfc7340.txt- ../data/rfc/rfc7340.txt- In order for P-Asserted-Identity to have these properties, it ../data/rfc/rfc7340.txt- requires the existence of a trust domain as described in [RFC3324]. ../data/rfc/rfc7340.txt- Any entity in the trust domain may add a P-Asserted-Identity header ../data/rfc/rfc7340.txt- to a SIP message, and any entity in the trust domain may forward a -- ../data/rfc/rfc2382.txt- all the functionality of a router, but such things as MARS and NHRP ../data/rfc/rfc2382.txt- clients would be worthwhile features. A host must manage VCs just ../data/rfc/rfc2382.txt- like any other ATM sender or receiver as described later in section ../data/rfc/rfc2382.txt- 4. ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt:2.6 Accounting and Policy Issues ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt- Since RSVP and IntServ create classes of preferential service, some ../data/rfc/rfc2382.txt- form of administrative control and/or cost allocation is needed to ../data/rfc/rfc2382.txt- control access. There are certain types of policies specific to ATM ../data/rfc/rfc2382.txt- and IP over ATM that need to be studied to determine how they -- ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt- There may be a need for policies specific to IP over ATM. For ../data/rfc/rfc2382.txt- example, since signalling costs in ATM are high relative to IP, an IP ../data/rfc/rfc2382.txt- over ATM specific policy might restrict the ability to change the ../data/rfc/rfc2382.txt- prevailing QoS in a VC. If VCs are relatively scarce, there also ../data/rfc/rfc2382.txt: might be specific accounting costs in creating a new VC. The work so ../data/rfc/rfc2382.txt- far has been preliminary, and much work remains to be done. The ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt- ../data/rfc/rfc2382.txt-Crawley, et. al. Informational [Page 11] -- ../data/rfc/rfc990.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc990.txt- 150 Xerox NS IDP [139,HGM] ../data/rfc/rfc990.txt- 151 Unassigned [JBP] ../data/rfc/rfc990.txt- 152 PARC Universal Protocol [15,HGM] ../data/rfc/rfc990.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc990.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc990.txt- 155 Internet Protocol [regular] [101,JBP] ../data/rfc/rfc990.txt- 156-158 Internet Protocol [experimental] [101,JBP] ../data/rfc/rfc990.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc990.txt- 160-194 Unassigned [JBP] ../data/rfc/rfc990.txt- 195 ISO-IP [65,RXM] -- ../data/rfc/rfc592.txt- It is probably reasonably straightforward to define service ../data/rfc/rfc592.txt- interfaces, but they will be useless unless their activating ../data/rfc/rfc592.txt- command languages and other conventions are well documented and ../data/rfc/rfc592.txt- this documentation is kept up to date. ../data/rfc/rfc592.txt- ../data/rfc/rfc592.txt: 5) Accounting ../data/rfc/rfc592.txt- ../data/rfc/rfc592.txt- A very difficult problem once you interconnect systems at lower ../data/rfc/rfc592.txt: levels is to design an appropriate network accounting and banking ../data/rfc/rfc592.txt- system that will not cause undue delays in accessing distributed ../data/rfc/rfc592.txt- resources. ../data/rfc/rfc592.txt- ../data/rfc/rfc592.txt- 6) Error Handling ../data/rfc/rfc592.txt- -- ../data/rfc/rfc6639.txt-4.1. MPLS Management Overview and Requirements ../data/rfc/rfc6639.txt- ../data/rfc/rfc6639.txt- [RFC4378] outlines how data-plane protocols can assist in providing ../data/rfc/rfc6639.txt- the Operations, Administration, and Maintenance (OAM) requirements ../data/rfc/rfc6639.txt- outlined in [RFC4377] and how it is applied to the management ../data/rfc/rfc6639.txt: functions of fault, configuration, accounting, performance, and ../data/rfc/rfc6639.txt- security (commonly known as FCAPS) for MPLS networks. ../data/rfc/rfc6639.txt- ../data/rfc/rfc6639.txt- [RFC4221] describes the management architecture for MPLS. In ../data/rfc/rfc6639.txt- particular, it describes how the managed objects defined in various ../data/rfc/rfc6639.txt- MPLS-related MIB modules model different aspects of MPLS, as well as -- ../data/rfc/rfc1244.txt- managed and physically secured. Links outside a site were unusual. ../data/rfc/rfc1244.txt- Computer security threats were rare, and were basically concerned ../data/rfc/rfc1244.txt- with insiders: authorized users misusing accounts, theft and ../data/rfc/rfc1244.txt- vandalism, and so forth. These threats were well understood and ../data/rfc/rfc1244.txt- dealt with using standard techniques: computers behind locked doors, ../data/rfc/rfc1244.txt: and accounting for all resources. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- Computing in the 1990's is radically different. Many systems are in ../data/rfc/rfc1244.txt- private offices and labs, often managed by individuals or persons ../data/rfc/rfc1244.txt- employed outside a computer center. Many systems are connected into ../data/rfc/rfc1244.txt- the Internet, and from there around the world: the United States, -- ../data/rfc/rfc1244.txt- A week later you find that your system initialization ../data/rfc/rfc1244.txt- files had been altered in a hostile fashion. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- - You receive a call saying that a breakin to a government ../data/rfc/rfc1244.txt- lab occurred from one of your center's machines. You ../data/rfc/rfc1244.txt: are requested to provide accounting files to help ../data/rfc/rfc1244.txt- trackdown the attacker. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- A week later you are given a list of machines at your ../data/rfc/rfc1244.txt- site that have been broken into. ../data/rfc/rfc1244.txt- -- ../data/rfc/rfc1244.txt- right set of controls. If the major threat to your system is ../data/rfc/rfc1244.txt- outside penetrators, it probably doesn't make much sense to use ../data/rfc/rfc1244.txt- biometric devices to authenticate your regular system users. On ../data/rfc/rfc1244.txt- the other hand, if the major threat is unauthorized use of ../data/rfc/rfc1244.txt- computing resources by regular system users, you'll probably want ../data/rfc/rfc1244.txt: to establish very rigorous automated accounting procedures. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- 3.3.2 Use Common Sense ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- Common sense is the most appropriate tool that can be used to ../data/rfc/rfc1244.txt- establish your security policy. Elaborate security schemes and -- ../data/rfc/rfc1244.txt- login histories. Most users typically log in and out ../data/rfc/rfc1244.txt- at roughly the same time each day. An account logged ../data/rfc/rfc1244.txt- in outside the "normal" time for the account may be in ../data/rfc/rfc1244.txt- use by an intruder. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt: - Many systems maintain accounting records for billing ../data/rfc/rfc1244.txt- purposes. These records can also be used to determine ../data/rfc/rfc1244.txt: usage patterns for the system; unusual accounting records ../data/rfc/rfc1244.txt- may indicate unauthorized use of the system. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- - System logging facilities, such as the UNIX "syslog" ../data/rfc/rfc1244.txt- utility, should be checked for unusual error messages ../data/rfc/rfc1244.txt- from system software. For example, a large number of -- ../data/rfc/rfc1244.txt- has unexplainedly been created), or high activity on ../data/rfc/rfc1244.txt- an account that has had virtually no activity for ../data/rfc/rfc1244.txt- months. ../data/rfc/rfc1244.txt- o New files (usually with novel or strange file names, ../data/rfc/rfc1244.txt- such as data.xx or k). ../data/rfc/rfc1244.txt: o Accounting discrepancies (e.g., in a UNIX system you ../data/rfc/rfc1244.txt: might notice that the accounting file called ../data/rfc/rfc1244.txt- /usr/admin/lastlog has shrunk, something that should ../data/rfc/rfc1244.txt- make you very suspicious that there may be an ../data/rfc/rfc1244.txt- intruder). ../data/rfc/rfc1244.txt- o Changes in file lengths or dates (e.g., a user should ../data/rfc/rfc1244.txt- be suspicious if he/she observes that the .EXE files in -- ../data/rfc/rfc1244.txt- the POC may be able to speak for the site in court. The ../data/rfc/rfc1244.txt- alternative is to have multiple witnesses that will be hard to ../data/rfc/rfc1244.txt- coordinate in a legal sense, and will weaken any case against the ../data/rfc/rfc1244.txt- attackers. A single POC may also be the single person in charge ../data/rfc/rfc1244.txt- of evidence collected, which will keep the number of people ../data/rfc/rfc1244.txt: accounting for evidence to a minimum. As a rule of thumb, the ../data/rfc/rfc1244.txt- more people that touch a potential piece of evidence, the greater ../data/rfc/rfc1244.txt- the possibility that it will be inadmissible in court. The ../data/rfc/rfc1244.txt- section below (Legal/Investigative) will provide more details for ../data/rfc/rfc1244.txt- consideration on this topic. ../data/rfc/rfc1244.txt- -- ../data/rfc/rfc1244.txt- some of the insight as to the nature of the incident, and aid ../data/rfc/rfc1244.txt- investigation and prosecution. It is best to compare previous ../data/rfc/rfc1244.txt- backups or original tapes when possible; advance preparation is ../data/rfc/rfc1244.txt- the key. If the system supports centralized logging (most do), go ../data/rfc/rfc1244.txt- back over the logs and look for abnormalities. If process ../data/rfc/rfc1244.txt: accounting and connect time accounting is enabled, look for ../data/rfc/rfc1244.txt- patterns of system usage. To a lesser extent, disk usage may shed ../data/rfc/rfc1244.txt: light on the incident. Accounting can provide much helpful ../data/rfc/rfc1244.txt- information in an analysis of an incident and subsequent ../data/rfc/rfc1244.txt- prosecution. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- 6.2.2 Cleanup ../data/rfc/rfc1244.txt- -- ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- A Cornell University Report presented to the Provost of the ../data/rfc/rfc1244.txt- University on 6 February 1989 on the Internet Worm. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- [GAO] ../data/rfc/rfc1244.txt: U.S. General Accounting Office, "Computer Security - Virus ../data/rfc/rfc1244.txt- Highlights Need for Improved Internet Management", United ../data/rfc/rfc1244.txt: States General Accounting Office, Washington, DC, 1989. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- This 36 page report (GAO/IMTEC-89-57), by the U.S. ../data/rfc/rfc1244.txt: Government Accounting Office, describes the Internet worm ../data/rfc/rfc1244.txt- and its effects. It gives a good overview of the various ../data/rfc/rfc1244.txt- U.S. agencies involved in the Internet today and their ../data/rfc/rfc1244.txt- concerns vis-a-vis computer security and networking. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- Available on-line on host nnsc.nsf.net, directory -- ../data/rfc/rfc1244.txt- NCSC, "A Guide to Understanding CONFIGURATION MANAGEMENT ../data/rfc/rfc1244.txt- in Trusted Systems", NCSC-TG-006, Version-1, 28 March 1988, ../data/rfc/rfc1244.txt- 31 pages. ../data/rfc/rfc1244.txt- ../data/rfc/rfc1244.txt- Configuration management consists of four separate tasks: ../data/rfc/rfc1244.txt: identification, control, status accounting, and auditing. ../data/rfc/rfc1244.txt- For every change that is made to an automated data ../data/rfc/rfc1244.txt- processing (ADP) system, the design and requirements of the ../data/rfc/rfc1244.txt- changed version of the system should be identified. The ../data/rfc/rfc1244.txt- control task of configuration management is performed ../data/rfc/rfc1244.txt- by subjecting every change to documentation, hardware, and ../data/rfc/rfc1244.txt- software/firmware to review and approval by an authorized ../data/rfc/rfc1244.txt: authority. Configuration status accounting is responsible ../data/rfc/rfc1244.txt- for recording and reporting on the configuration of the ../data/rfc/rfc1244.txt- product throughout the change. Finally, though the process ../data/rfc/rfc1244.txt- of a configuration audit, the completed change can be ../data/rfc/rfc1244.txt- verified to be functionally correct, and for trusted ../data/rfc/rfc1244.txt- systems, consistent with the security policy of the system. -- ../data/rfc/rfc6613.txt- A device that provides an access service for a user to a network. ../data/rfc/rfc6613.txt- Also referred to as a Network Access Server, or NAS. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS server ../data/rfc/rfc6613.txt- A device that provides one or more of authentication, ../data/rfc/rfc6613.txt: authorization, and/or accounting (AAA) services to a NAS. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS proxy ../data/rfc/rfc6613.txt- A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS ../data/rfc/rfc6613.txt- client to the RADIUS server. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS request packet ../data/rfc/rfc6613.txt- A packet originated by a RADIUS client to a RADIUS server. For ../data/rfc/rfc6613.txt: example, Access-Request, Accounting-Request, CoA-Request, or ../data/rfc/rfc6613.txt- Disconnect-Request. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS response packet ../data/rfc/rfc6613.txt- A packet sent by a RADIUS server to a RADIUS client, in response ../data/rfc/rfc6613.txt- to a RADIUS request packet. For example, Access-Accept, Access- ../data/rfc/rfc6613.txt: Reject, Access-Challenge, Accounting-Response, or CoA-ACK. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS/UDP ../data/rfc/rfc6613.txt- RADIUS over UDP, as defined in [RFC2865]. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- RADIUS/TCP -- ../data/rfc/rfc6613.txt- is also noted in [RFC3539], Section 2.4. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- An additional limit is the requirement to send a Status-Server packet ../data/rfc/rfc6613.txt- over the same TCP connection as is used for normal requests. As ../data/rfc/rfc6613.txt- noted in [RFC5997], the response to a Status-Server packet is either ../data/rfc/rfc6613.txt: an Access-Accept or an Accounting-Response. If all IDs were ../data/rfc/rfc6613.txt- allocated to normal requests, then there would be no free ID to use ../data/rfc/rfc6613.txt- for the Status-Server packet, and it could not be sent over the ../data/rfc/rfc6613.txt- connection. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- Implementations SHOULD reserve ID zero (0) on each TCP connection for -- ../data/rfc/rfc6613.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6613.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc6613.txt- RFC 2865, June 2000. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization ../data/rfc/rfc6613.txt: and Accounting (AAA) Transport Profile", RFC 3539, June ../data/rfc/rfc6613.txt- 2003. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- [RFC5997] DeKok, A., "Use of Status-Server Packets in the Remote ../data/rfc/rfc6613.txt- Authentication Dial In User Service (RADIUS) Protocol", ../data/rfc/rfc6613.txt- RFC 5997, August 2010. -- ../data/rfc/rfc6613.txt- "Transport Layer Security (TLS) Encryption for RADIUS", ../data/rfc/rfc6613.txt- RFC 6614, May 2012. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt-5.2. Informative References ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication ../data/rfc/rfc6613.txt- Dial In User Service) Support For Extensible ../data/rfc/rfc6613.txt- Authentication Protocol (EAP)", RFC 3579, September ../data/rfc/rfc6613.txt- 2003. -- ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", ../data/rfc/rfc6613.txt- RFC 4669, August 2006. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt: [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC ../data/rfc/rfc6613.txt- 4670, August 2006. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC ../data/rfc/rfc6613.txt- 4671, August 2006. ../data/rfc/rfc6613.txt- ../data/rfc/rfc6613.txt- [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS ../data/rfc/rfc6613.txt- Dynamic Authorization Client MIB", RFC 4672, September ../data/rfc/rfc6613.txt- 2006. -- ../data/rfc/rfc3344.txt- ../data/rfc/rfc3344.txt- When the mobile node receives an Agent Advertisement with the 'R' bit ../data/rfc/rfc3344.txt- set, the mobile node SHOULD register through the foreign agent, even ../data/rfc/rfc3344.txt- when the mobile node might be able to acquire its own co-located ../data/rfc/rfc3344.txt- care-of address. This feature is intended to allow sites to enforce ../data/rfc/rfc3344.txt: visiting policies (such as accounting) which require exchanges of ../data/rfc/rfc3344.txt- authorization. ../data/rfc/rfc3344.txt- ../data/rfc/rfc3344.txt- If formerly reserved bits require some kind of monitoring/enforcement ../data/rfc/rfc3344.txt- at the foreign link, foreign agents implementing the new ../data/rfc/rfc3344.txt- specification for the formerly reserved bits can set the 'R' bit. -- ../data/rfc/rfc2512.txt- A. Prasad ../data/rfc/rfc2512.txt- Cisco Systems, Inc. ../data/rfc/rfc2512.txt- February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt: Accounting Information for ATM Networks ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-Status of this Memo ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- This document specifies an Internet standards track protocol for the ../data/rfc/rfc2512.txt- Internet community, and requests discussion and suggestions for -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc2512.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc2512.txt- A separate memo [16] defines managed objects, in a manner independent ../data/rfc/rfc2512.txt- of the type of network, for controlling the selection, collection and ../data/rfc/rfc2512.txt: storage of accounting information into files for later retrieval via ../data/rfc/rfc2512.txt- a file transfer protocol. This memo defines a set of ATM-specific ../data/rfc/rfc2512.txt: accounting information which can be collected for connections on ATM ../data/rfc/rfc2512.txt- networks. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 1] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-2. The SNMP Network Management Framework ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- The SNMP Management Framework presently consists of five major -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 2] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-3. Overview ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt: In [16], the items of accounting data to be collected are specified ../data/rfc/rfc2512.txt- as a set of objects. Which objects are contained in such a set is ../data/rfc/rfc2512.txt- selectable by an administrator through the specification of one or ../data/rfc/rfc2512.txt- more (subtree, list) tuples, where the set of objects to be collected ../data/rfc/rfc2512.txt- is the union of the subsets specified by each tuple: ../data/rfc/rfc2512.txt- -- ../data/rfc/rfc2512.txt- of the string's value is set then the the subset contains the ../data/rfc/rfc2512.txt- object named by appending N as a single additional sub- ../data/rfc/rfc2512.txt- identifier to the subtree. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- This memo specifies such a subtree containing a set of objects ../data/rfc/rfc2512.txt: defining items of accounting information which are applicable to ATM ../data/rfc/rfc2512.txt- connections. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- Note that all of the objects defined here have a MAX-ACCESS clause of ../data/rfc/rfc2512.txt- not-accessible, since their purpose is not to be read/written by ../data/rfc/rfc2512.txt- SNMP, but rather, to be the syntax and semantics of the set of ../data/rfc/rfc2512.txt- information which can be represented within a single (subtree, list) ../data/rfc/rfc2512.txt- tuple. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-4. Definitions ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:ATM-ACCOUNTING-INFORMATION-MIB DEFINITIONS ::= BEGIN ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-IMPORTS ../data/rfc/rfc2512.txt- MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, ../data/rfc/rfc2512.txt- mib-2, Integer32, Counter64 FROM SNMPv2-SMI ../data/rfc/rfc2512.txt- DisplayString, DateAndTime FROM SNMPv2-TC ../data/rfc/rfc2512.txt- AtmAddr FROM ATM-TC-MIB; ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:atmAccountingInformationMIB MODULE-IDENTITY ../data/rfc/rfc2512.txt- LAST-UPDATED "9611052000Z" ../data/rfc/rfc2512.txt- ORGANIZATION "IETF AToM MIB Working Group" ../data/rfc/rfc2512.txt- CONTACT-INFO " ../data/rfc/rfc2512.txt- Keith McCloghrie ../data/rfc/rfc2512.txt- Cisco Systems, Inc. -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 3] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt: "The MIB module for identifying items of accounting ../data/rfc/rfc2512.txt- information which are applicable to ATM connections." ../data/rfc/rfc2512.txt- ::= { mib-2 59 } ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-atmAcctngMIBObjects OBJECT IDENTIFIER ::= ../data/rfc/rfc2512.txt: { atmAccountingInformationMIB 1 } ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:-- Definitions of objects for use in specifying ATM accounting ../data/rfc/rfc2512.txt--- data to be collected ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-atmAcctngDataObjects OBJECT-IDENTITY ../data/rfc/rfc2512.txt- STATUS current ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt- "This identifier defines a subtree under which various ../data/rfc/rfc2512.txt- objects are defined such that a set of objects to be ../data/rfc/rfc2512.txt: collected as ATM accounting data can be specified as a ../data/rfc/rfc2512.txt- (subtree, list) tuple using this identifier as the subtree." ../data/rfc/rfc2512.txt- ::= { atmAcctngMIBObjects 1 } ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt--- Objects defined under the atmAcctngDataObjects subtree ../data/rfc/rfc2512.txt--- ../data/rfc/rfc2512.txt--- In each case the semantics of the object are interpreted with ../data/rfc/rfc2512.txt:-- respect to the creation/storage of an accounting record for a ../data/rfc/rfc2512.txt--- particular connection on a particular interface. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-atmAcctngConnectionType OBJECT-TYPE ../data/rfc/rfc2512.txt- SYNTAX INTEGER { pvc(1), ../data/rfc/rfc2512.txt- pvp(2), -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 4] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- STATUS current ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt- "An indication of whether the connection is point-to-point -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 5] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- SYNTAX AtmAddr ../data/rfc/rfc2512.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2512.txt- STATUS current -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 6] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- onCommand(3) } ../data/rfc/rfc2512.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2512.txt- STATUS current -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 7] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- STATUS current ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt- "The number of cells, including OAM cells, received by this -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 8] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ::= { atmAcctngDataObjects 21 } ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-atmAcctngTransmitTrafficDescriptorParam3 OBJECT-TYPE -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 9] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-atmAcctngReceiveTrafficDescriptorParam1 OBJECT-TYPE ../data/rfc/rfc2512.txt- SYNTAX INTEGER (0..2147483647) ../data/rfc/rfc2512.txt- MAX-ACCESS not-accessible -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 10] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt- "The fifth traffic descriptor parameter in the direction in ../data/rfc/rfc2512.txt- which this switch receives cells on this connection. -- ../data/rfc/rfc2512.txt- SYNTAX OCTET STRING (SIZE(2)) ../data/rfc/rfc2512.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2512.txt- STATUS current ../data/rfc/rfc2512.txt- DESCRIPTION ../data/rfc/rfc2512.txt- "The value of the CRC-16 checksum (as defined by ISO 3309 ../data/rfc/rfc2512.txt: (HDLC) and/or ITU X.25) calculated over the accounting ../data/rfc/rfc2512.txt- record containing this object. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- While the mechanism for calculating/encoding the checksum ../data/rfc/rfc2512.txt: value is specific to the method of encoding the accounting ../data/rfc/rfc2512.txt: record, an accounting record containing this object is ../data/rfc/rfc2512.txt- typically generated by initializing the value of this object ../data/rfc/rfc2512.txt- to the all-zeros string ('0000'H), with the location of ../data/rfc/rfc2512.txt- these zeros being saved. After generating the record, the ../data/rfc/rfc2512.txt- checksum is calculated over the whole connection record and ../data/rfc/rfc2512.txt- then the all-zeros value is overwritten (at the saved -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 11] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-END ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-5. Acknowledgements -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 12] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) ../data/rfc/rfc2512.txt- for version 3 of the Simple Network Management Protocol ../data/rfc/rfc2512.txt- (SNMPv3)", RFC 2274, January 1998. -- ../data/rfc/rfc2512.txt- [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access ../data/rfc/rfc2512.txt- Control Model (VACM) for the Simple Network Management Protocol ../data/rfc/rfc2512.txt- (SNMP)", RFC 2275, January 1998. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- [16] McCloghrie, K., Heinanen, J., Greene, W. and A. Prasad, "Managed ../data/rfc/rfc2512.txt: Objects for Controlling the Collection and Storage of Accounting ../data/rfc/rfc2512.txt- Information for Connection-Oriented Networks", RFC 2513, ../data/rfc/rfc2512.txt- February 1999. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- [17] Noto, M., Spiegel, E. and K. Tesink, "Definitions of Textual ../data/rfc/rfc2512.txt- Conventions and OBJECT-IDENTITIES for ATM Management", RFC 2514, ../data/rfc/rfc2512.txt- February 1999. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-7. Security Considerations ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt: This MIB module defines data items for potential use as accounting ../data/rfc/rfc2512.txt- information. Each of these data items is only accessible through a ../data/rfc/rfc2512.txt: collected accounting file. After being collected, the accounting ../data/rfc/rfc2512.txt- data should be protected against modification or unauthorized ../data/rfc/rfc2512.txt- deletion. ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-8. IANA Considerations ../data/rfc/rfc2512.txt- -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 13] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-9. Authors' Addresses ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- Keith McCloghrie -- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-McCloghrie, et. al. Standards Track [Page 14] ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt:RFC 2512 Accounting Information for ATM Networks February 1999 ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt-10. Full Copyright Statement ../data/rfc/rfc2512.txt- ../data/rfc/rfc2512.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. -- ../data/rfc/rfc4652.txt- (maximum/ minimum) bandwidth per priority of which an LSP can make ../data/rfc/rfc4652.txt- use. This information is usually used in combination with the ../data/rfc/rfc4652.txt- Unreserved Bandwidth sub-TLV that provides the amount of bandwidth ../data/rfc/rfc4652.txt- not yet reserved on a TE link. ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt: In the ASON context, other bandwidth accounting representations are ../data/rfc/rfc4652.txt- possible, e.g., in terms of a set of tuples <signal_type; number of ../data/rfc/rfc4652.txt- unallocated timeslots>. The latter representation may also require ../data/rfc/rfc4652.txt- definition of additional signal types (from those defined in ../data/rfc/rfc4652.txt- [RFC3946]) to represent support of contiguously concatenated signals, ../data/rfc/rfc4652.txt- i.e., STS-(3xN)c SPE / VC-4-Nc, N = 4, 16, 64, 256. ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- However, the method proposed in [RFC4202] is the most straightforward ../data/rfc/rfc4652.txt: without requiring any bandwidth accounting change from an LSR ../data/rfc/rfc4652.txt- perspective (in particular, when the ISCD sub-TLV information is ../data/rfc/rfc4652.txt- combined with the information provided by the Unreserved Bandwidth ../data/rfc/rfc4652.txt- sub-TLV). ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- -- ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Link Attributes Representation of cross/inter-layer relationships ../data/rfc/rfc4652.txt- in link top-level link TLV (see Section 5.3.1). ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Optionally, provide for per-signal-type bandwidth ../data/rfc/rfc4652.txt: accounting (see Section 5.3.1). ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Scoping TE link advertisements to allow for retrieving ../data/rfc/rfc4652.txt- their respective local-remote TE Router_ID ../data/rfc/rfc4652.txt- relationship(s) (see Section 5.7). ../data/rfc/rfc4652.txt- -- ../data/rfc/rfc4652.txt- Link Attributes Representation of cross/inter-layer relationships ../data/rfc/rfc4652.txt- in Extended IS Reachability TLV (see Section ../data/rfc/rfc4652.txt- 5.3.1). ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Optionally, provide for per-signal-type bandwidth ../data/rfc/rfc4652.txt: accounting (see Section 5.3.1). ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Scoping Extended IS Reachability TLVs to allow for ../data/rfc/rfc4652.txt- retrieving their respective local-remote TE ../data/rfc/rfc4652.txt- Router_ID relationship(s) (see Section 5.7). ../data/rfc/rfc4652.txt- -- ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Management plane: Performs management functions for the Transport ../data/rfc/rfc4652.txt- Plane, the control plane, and the system as a whole. It also ../data/rfc/rfc4652.txt- provides coordination between all the planes. The following ../data/rfc/rfc4652.txt- management functional areas are performed in the management plane: ../data/rfc/rfc4652.txt: performance, fault, configuration, accounting, and security ../data/rfc/rfc4652.txt- management ../data/rfc/rfc4652.txt- ../data/rfc/rfc4652.txt- Management domain (see Recommendation G.805): A management domain ../data/rfc/rfc4652.txt- defines a collection of managed objects that are grouped to meet ../data/rfc/rfc4652.txt- organizational requirements according to geography, technology, ../data/rfc/rfc4652.txt- policy, or other structure, and for a number of functional areas such ../data/rfc/rfc4652.txt: as fault, configuration, accounting, performance, and security ../data/rfc/rfc4652.txt- (FCAPS), for the purpose of providing control in a consistent manner. ../data/rfc/rfc4652.txt- Management domains can be disjoint, contained, or overlapping. As ../data/rfc/rfc4652.txt- such, the resources within an administrative domain can be ../data/rfc/rfc4652.txt- distributed into several possible overlapping management domains. ../data/rfc/rfc4652.txt- -- ../data/rfc/rfc4679.txt- Information Suboptions [RFC4243]. This document describes the ../data/rfc/rfc4679.txt- subscriber line identification and characterization information and ../data/rfc/rfc4679.txt- its mapping to RADIUS VSAs by the BRAS. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- The information acquired may be used to provide authentication and ../data/rfc/rfc4679.txt: accounting functionality. It may also be collected and used for ../data/rfc/rfc4679.txt- management and troubleshooting purposes. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt-2. Terminology ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- The following sections define the usage and meaning of certain -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains information describing the subscriber ../data/rfc/rfc4679.txt- agent circuit identifier corresponding to the logical access loop ../data/rfc/rfc4679.txt- port of the Access Node/DSLAM from which a subscriber's requests ../data/rfc/rfc4679.txt- are initiated. It MAY be present in both Access-Request and ../data/rfc/rfc4679.txt: Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Agent-Circuit-Id Attribute format is shown below. ../data/rfc/rfc4679.txt- The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt- string sent from the Access Node/DSLAM); Agent-Remote-Id (an ../data/rfc/rfc4679.txt- operator-defined string configured on and sent by the Access ../data/rfc/rfc4679.txt- Node/DSLAM). ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute MAY be included in both Access-Request and ../data/rfc/rfc4679.txt: Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Agent-Remote-Id Attribute format is shown below. ../data/rfc/rfc4679.txt- The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the actual upstream train rate of a ../data/rfc/rfc4679.txt- subscriber's synchronized DSL link. It MAY be included in both ../data/rfc/rfc4679.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Actual-Data-Rate-Upstream Attribute format is shown ../data/rfc/rfc4679.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the actual downstream train rate of a ../data/rfc/rfc4679.txt- subscriber's synchronized DSL link. It MAY be included in both ../data/rfc/rfc4679.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Actual-Data-Rate-Downstream Attribute format is ../data/rfc/rfc4679.txt- shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt-3.3.5. Minimum-Data-Rate-Upstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's operator-configured ../data/rfc/rfc4679.txt: minimum upstream data rate. It MAY be included in Accounting- ../data/rfc/rfc4679.txt- Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Minimum-Data-Rate-Upstream Attribute format is shown ../data/rfc/rfc4679.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt-3.3.6. Minimum-Data-Rate-Downstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's operator-configured ../data/rfc/rfc4679.txt: minimum downstream data rate. It MAY be included in Accounting- ../data/rfc/rfc4679.txt- Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Minimum-Data-Rate-Downstream Attribute format is ../data/rfc/rfc4679.txt- shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt-3.3.7. Attainable-Data-Rate-Upstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's attainable upstream data ../data/rfc/rfc4679.txt: rate. It MAY be included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Attainable-Data-Rate-Upstream Attribute format is ../data/rfc/rfc4679.txt- shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt-3.3.8. Attainable-Data-Rate-Downstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's attainable downstream ../data/rfc/rfc4679.txt: data rate. It MAY be included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Attainable-Data-Rate-Downstream Attribute format is ../data/rfc/rfc4679.txt- shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's maximum upstream data ../data/rfc/rfc4679.txt- rate, as configured by the operator. It MAY be included in ../data/rfc/rfc4679.txt: Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Maximum-Data-Rate-Upstream Attribute format is shown ../data/rfc/rfc4679.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's maximum downstream data ../data/rfc/rfc4679.txt- rate, as configured by the operator. It MAY be included in ../data/rfc/rfc4679.txt: Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's minimum upstream data ../data/rfc/rfc4679.txt- rate in low power state, as configured by the operator. It MAY be ../data/rfc/rfc4679.txt: included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Minimum-Data-Rate-Upstream-Low-Power Attribute ../data/rfc/rfc4679.txt- format is shown below. The fields are transmitted from left to ../data/rfc/rfc4679.txt- right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's minimum downstream data ../data/rfc/rfc4679.txt- rate in low power state, as configured by the operator. It MAY be ../data/rfc/rfc4679.txt: included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Minimum-Data-Rate-Downstream-Low-Power Attribute ../data/rfc/rfc4679.txt- format is shown below. The fields are transmitted from left to ../data/rfc/rfc4679.txt- right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's maximum one-way upstream ../data/rfc/rfc4679.txt- interleaving delay, as configured by the operator. It MAY be ../data/rfc/rfc4679.txt: included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Maximum-Interleaving-Delay-Upstream Attribute format ../data/rfc/rfc4679.txt- is shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt-3.3.14. Actual-Interleaving-Delay-Upstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's actual one-way upstream ../data/rfc/rfc4679.txt: interleaving delay. It MAY be included in Accounting-Request ../data/rfc/rfc4679.txt- packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Actual-Interleaving-Delay-Upstream Attribute format ../data/rfc/rfc4679.txt- is shown below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's maximum one-way ../data/rfc/rfc4679.txt- downstream interleaving delay, as configured by the operator. It ../data/rfc/rfc4679.txt: MAY be included in Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Maximum-Interleaving-Delay-Downstream Attribute ../data/rfc/rfc4679.txt- format is shown below. The fields are transmitted from left to ../data/rfc/rfc4679.txt- right. ../data/rfc/rfc4679.txt- -- ../data/rfc/rfc4679.txt-3.3.16. Actual-Interleaving-Delay-Downstream ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute contains the subscriber's actual one-way downstream ../data/rfc/rfc4679.txt: interleaving delay. It MAY be included in Accounting-Request ../data/rfc/rfc4679.txt- packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Actual-Interleaving-Delay-Downstream Attribute ../data/rfc/rfc4679.txt- format is shown below. The fields are transmitted from left to ../data/rfc/rfc4679.txt- right. -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- This Attribute describes the encapsulation(s) used by the ../data/rfc/rfc4679.txt- subscriber on the DSL access loop. It MAY be present in both ../data/rfc/rfc4679.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the Access-Loop-Encapsulation Attribute format is shown ../data/rfc/rfc4679.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 2 3 -- ../data/rfc/rfc4679.txt- Description ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- The presence of this Attribute indicates that the IWF has been ../data/rfc/rfc4679.txt- performed with respect to the subscriber's session; note that no ../data/rfc/rfc4679.txt- data field is necessary. It MAY be included in both Access- ../data/rfc/rfc4679.txt: Request and Accounting-Request packets. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- A summary of the IWF-Session Attribute format is shown below. The ../data/rfc/rfc4679.txt- fields are transmitted from left to right. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- 0 1 -- ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4679.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc4679.txt- RFC 2865, June 2000. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt-6.2. Informative References ../data/rfc/rfc4679.txt- ../data/rfc/rfc4679.txt- [IANA] Internet Assigned Numbers Authority, "PRIVATE ENTERPRISE ../data/rfc/rfc4679.txt- NUMBERS", January 2006, -- ../data/rfc/rfc762.txt- 1 1 Reserved ../data/rfc/rfc762.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc762.txt- 72-151 110-227 Reserved ../data/rfc/rfc762.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc762.txt- 153 231 TIP Status Reporting ../data/rfc/rfc762.txt: 154 232 TIP Accounting ../data/rfc/rfc762.txt- 155-158 233-236 Internet Protocol [44] ../data/rfc/rfc762.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc762.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc762.txt- 196-255 304-377 Experimental Protocols ../data/rfc/rfc762.txt- 224-255 340-377 NVP [1,39] -- ../data/rfc/rfc1095.txt- functional areas to meet specific management needs. This has proved ../data/rfc/rfc1095.txt- to be a helpful way of partitioning the network management problem ../data/rfc/rfc1095.txt- from an application point of view. These facilities have come to be ../data/rfc/rfc1095.txt- known as the Specific Management Functional Areas (SMFAs): fault ../data/rfc/rfc1095.txt- management, configuration management, performance management, ../data/rfc/rfc1095.txt: accounting management, and security management. Fault management ../data/rfc/rfc1095.txt- provides the ability to detect, isolate, and correct network ../data/rfc/rfc1095.txt- problems. Configuration management enables network managers to ../data/rfc/rfc1095.txt- change the configuration of remote network elements. Performance ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt- -- ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt-RFC 1095 CMOT April 1989 ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt- management provides the facilities to monitor and evaluate the ../data/rfc/rfc1095.txt: performance of the network. Accounting management makes it possible ../data/rfc/rfc1095.txt- to charge users for network resources used and to limit the use of ../data/rfc/rfc1095.txt- those resources. Finally, security management is concerned with ../data/rfc/rfc1095.txt- managing access control, authentication, encryption, key management, ../data/rfc/rfc1095.txt- and so on. ../data/rfc/rfc1095.txt- -- ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt-4.1.2. The Functional Model ../data/rfc/rfc1095.txt- ../data/rfc/rfc1095.txt- The CMOT architecture provides the foundation for carrying out ../data/rfc/rfc1095.txt- management in the five functional areas (fault, configuration, ../data/rfc/rfc1095.txt: performance, accounting, and security), but does not address ../data/rfc/rfc1095.txt- specifically how any of these types of management are accomplished. ../data/rfc/rfc1095.txt- It is anticipated that most functional requirements can be satisfied ../data/rfc/rfc1095.txt- by CMIS. The greatest impact of the functional requirements in the ../data/rfc/rfc1095.txt- various areas will likely be on the definition of managed objects. ../data/rfc/rfc1095.txt- -- ../data/rfc/rfc2059.txt-Network Working Group C. Rigney ../data/rfc/rfc2059.txt-Request for Comments: 2059 Livingston ../data/rfc/rfc2059.txt-Category: Informational January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: RADIUS Accounting ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Status of this Memo ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This memo provides information for the Internet community. This memo ../data/rfc/rfc2059.txt- does not specify an Internet standard of any kind. Distribution of ../data/rfc/rfc2059.txt- this memo is unlimited. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Abstract ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: This document describes a protocol for carrying accounting ../data/rfc/rfc2059.txt: information between a Network Access Server and a shared Accounting ../data/rfc/rfc2059.txt- Server. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Table of Contents ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 1. Introduction .......................................... 2 ../data/rfc/rfc2059.txt- 1.1 Specification of Requirements ................... 3 ../data/rfc/rfc2059.txt- 1.2 Terminology ..................................... 3 ../data/rfc/rfc2059.txt- 2. Operation ............................................. 3 ../data/rfc/rfc2059.txt- 3. Packet Format ......................................... 4 ../data/rfc/rfc2059.txt- 4. Packet Types .......................................... 6 ../data/rfc/rfc2059.txt: 4.1 Accounting-Request .............................. 7 ../data/rfc/rfc2059.txt: 4.2 Accounting-Response ............................. 8 ../data/rfc/rfc2059.txt- 5. Attributes ............................................ 9 ../data/rfc/rfc2059.txt- 5.1 Acct-Status-Type ................................ 11 ../data/rfc/rfc2059.txt- 5.2 Acct-Delay-Time ................................. 12 ../data/rfc/rfc2059.txt- 5.3 Acct-Input-Octets ............................... 13 ../data/rfc/rfc2059.txt- 5.4 Acct-Output-Octets .............................. 13 -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 1] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-1. Introduction ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2059.txt- users can create the need for significant administrative support. ../data/rfc/rfc2059.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2059.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2059.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2059.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2059.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2059.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The RADIUS (Remote Authentication Dial In User Service) document [4] ../data/rfc/rfc2059.txt- specifies the RADIUS protocol used for Authentication and ../data/rfc/rfc2059.txt- Authorization. This memo extends the use of the RADIUS protocol to ../data/rfc/rfc2059.txt: cover delivery of accounting information from the Network Access ../data/rfc/rfc2059.txt: Server (NAS) to a RADIUS accounting server. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Key features of RADIUS Accounting are: ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Client/Server Model ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A Network Access Server (NAS) operates as a client of the ../data/rfc/rfc2059.txt: RADIUS accounting server. The client is responsible for ../data/rfc/rfc2059.txt: passing user accounting information to a designated RADIUS ../data/rfc/rfc2059.txt: accounting server. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The RADIUS accounting server is responsible for receiving the ../data/rfc/rfc2059.txt: accounting request and returning a response to the client ../data/rfc/rfc2059.txt- indicating that it has successfully received the request. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The RADIUS accounting server can act as a proxy client to other ../data/rfc/rfc2059.txt: kinds of accounting servers. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Network Security ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Transactions between the client and RADIUS accounting server ../data/rfc/rfc2059.txt- are authenticated through the use of a shared secret, which is ../data/rfc/rfc2059.txt- never sent over the network. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Extensible Protocol ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 2] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-1.1 Specification of Requirements ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- MUST This word, or the adjective "required", means that the -- ../data/rfc/rfc2059.txt- constitutes a session, with the beginning of the session ../data/rfc/rfc2059.txt- defined as the point where service is first provided and ../data/rfc/rfc2059.txt- the end of the session defined as the point where service ../data/rfc/rfc2059.txt- is ended. A user may have multiple sessions in parallel or ../data/rfc/rfc2059.txt- series if the NAS supports that, with each session ../data/rfc/rfc2059.txt: generating a separate start and stop accounting record with ../data/rfc/rfc2059.txt- its own Acct-Session-Id. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- silently discard ../data/rfc/rfc2059.txt- This means the implementation discards the packet without ../data/rfc/rfc2059.txt- further processing. The implementation SHOULD provide the -- ../data/rfc/rfc2059.txt- the silently discarded packet, and SHOULD record the event ../data/rfc/rfc2059.txt- in a statistics counter. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-2. Operation ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: When a client is configured to use RADIUS Accounting, at the start of ../data/rfc/rfc2059.txt: service delivery it will generate an Accounting Start packet ../data/rfc/rfc2059.txt- describing the type of service being delivered and the user it is ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 3] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: being delivered to, and will send that to the RADIUS Accounting ../data/rfc/rfc2059.txt- server, which will send back an acknowledgement that the packet has ../data/rfc/rfc2059.txt- been received. At the end of service delivery the client will ../data/rfc/rfc2059.txt: generate an Accounting Stop packet describing the type of service ../data/rfc/rfc2059.txt- that was delivered and optionally statistics such as elapsed time, ../data/rfc/rfc2059.txt- input and output octets, or input and output packets. It will send ../data/rfc/rfc2059.txt: that to the RADIUS Accounting server, which will send back an ../data/rfc/rfc2059.txt- acknowledgement that the packet has been received. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The Accounting-Request (whether for Start or Stop) is submitted to ../data/rfc/rfc2059.txt: the RADIUS accounting server via the network. It is recommended that ../data/rfc/rfc2059.txt: the client continue attempting to send the Accounting-Request packet ../data/rfc/rfc2059.txt- until it receives an acknowledgement, using some form of backoff. If ../data/rfc/rfc2059.txt- no response is returned within a length of time, the request is re- ../data/rfc/rfc2059.txt- sent a number of times. The client can also forward requests to an ../data/rfc/rfc2059.txt- alternate server or servers in the event that the primary server is ../data/rfc/rfc2059.txt- down or unreachable. An alternate server can be used either after a ../data/rfc/rfc2059.txt- number of tries to the primary server fail, or in a round-robin ../data/rfc/rfc2059.txt- fashion. Retry and fallback algorithms are the topic of current ../data/rfc/rfc2059.txt- research and are not specified in detail in this document. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The RADIUS accounting server MAY make requests of other servers in ../data/rfc/rfc2059.txt- order to satisfy the request, in which case it acts as a client. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: If the RADIUS accounting server is unable to successfully record the ../data/rfc/rfc2059.txt: accounting packet it MUST NOT send an Accounting-Response ../data/rfc/rfc2059.txt- acknowledgment to the client. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-3. Packet Format ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Exactly one RADIUS Accounting packet is encapsulated in the UDP Data ../data/rfc/rfc2059.txt- field [1], where the UDP Destination Port field indicates 1813 ../data/rfc/rfc2059.txt- (decimal). ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- When a reply is generated, the source and destination ports are ../data/rfc/rfc2059.txt- reversed. -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 4] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the RADIUS data format is shown below. The fields are ../data/rfc/rfc2059.txt- transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Code field is one octet, and identifies the type of RADIUS ../data/rfc/rfc2059.txt- packet. When a packet is received with an invalid Code field, it is ../data/rfc/rfc2059.txt- silently discarded. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: RADIUS Accounting Codes (decimal) are assigned as follows: ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: 4 Accounting-Request ../data/rfc/rfc2059.txt: 5 Accounting-Response ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Identifier ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Identifier field is one octet, and aids in matching requests and -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Authenticator ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Authenticator field is sixteen (16) octets. The most significant ../data/rfc/rfc2059.txt- octet is transmitted first. This value is used to authenticate the ../data/rfc/rfc2059.txt: messages between the client and RADIUS accounting server. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 5] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Request Authenticator ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: In Accounting-Request Packets, the Authenticator value is a 16 ../data/rfc/rfc2059.txt- octet MD5 [3] checksum, called the Request Authenticator. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The NAS and RADIUS accounting server share a secret. The Request ../data/rfc/rfc2059.txt: Authenticator field in Accounting-Request packets contains a one- ../data/rfc/rfc2059.txt- way MD5 hash calculated over a stream of octets consisting of the ../data/rfc/rfc2059.txt- Code + Identifier + Length + 16 zero octets + request attributes + ../data/rfc/rfc2059.txt- shared secret (where + indicates concatenation). The 16 octet MD5 ../data/rfc/rfc2059.txt- hash value is stored in the Authenticator field of the ../data/rfc/rfc2059.txt: Accounting-Request packet. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Note that the Request Authenticator of an Accounting-Request can ../data/rfc/rfc2059.txt- not be done the same way as the Request Authenticator of a RADIUS ../data/rfc/rfc2059.txt- Access-Request, because there is no User-Password attribute in an ../data/rfc/rfc2059.txt: Accounting-Request. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Response Authenticator ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The Authenticator field in an Accounting-Response packet is called ../data/rfc/rfc2059.txt- the Response Authenticator, and contains a one-way MD5 hash ../data/rfc/rfc2059.txt: calculated over a stream of octets consisting of the Accounting- ../data/rfc/rfc2059.txt- Response Code, Identifier, Length, the Request Authenticator field ../data/rfc/rfc2059.txt: from the Accounting-Request packet being replied to, and the response ../data/rfc/rfc2059.txt- attributes if any, followed by the shared secret. The resulting 16 ../data/rfc/rfc2059.txt- octet MD5 hash value is stored in the Authenticator field of the ../data/rfc/rfc2059.txt: Accounting-Response packet. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Attributes ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Attributes may have multiple instances, in such a case the order of ../data/rfc/rfc2059.txt- attributes of the same type SHOULD be preserved. The order of -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 6] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:4.1. Accounting-Request ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Accounting-Request packets are sent from a client (typically a ../data/rfc/rfc2059.txt: Network Access Server or its proxy) to a RADIUS accounting server, ../data/rfc/rfc2059.txt: and convey information used to provide accounting for a service ../data/rfc/rfc2059.txt- provided to a user. The client transmits a RADIUS packet with the ../data/rfc/rfc2059.txt: Code field set to 4 (Accounting-Request). ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Upon receipt of an Accounting-Request, the server MUST transmit an ../data/rfc/rfc2059.txt: Accounting-Response reply if it successfully records the ../data/rfc/rfc2059.txt: accounting packet, and MUST NOT transmit any reply if it fails to ../data/rfc/rfc2059.txt: record the accounting packet. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Any attribute valid in a RADIUS Access-Request or Access-Accept ../data/rfc/rfc2059.txt: packet is valid in a RADIUS Accounting-Request packet, except that ../data/rfc/rfc2059.txt: the following attributes MUST NOT be present in an Accounting- ../data/rfc/rfc2059.txt- Request: User-Password, CHAP-Password, Reply-Message, State. ../data/rfc/rfc2059.txt- Either NAS-IP-Address or NAS-Identifier MUST be present in a ../data/rfc/rfc2059.txt: RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- ../data/rfc/rfc2059.txt- Port-Type attribute or both unless the service does not involve a ../data/rfc/rfc2059.txt- port or the NAS does not distinguish among its ports. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: A summary of the Accounting-Request packet format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 0 1 2 3 ../data/rfc/rfc2059.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2059.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2059.txt- | Attributes ... ../data/rfc/rfc2059.txt- +-+-+-+-+-+-+-+-+-+-+-+-+- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Code ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: 4 for Accounting-Request. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Identifier ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Identifier field MUST be changed whenever the content of the ../data/rfc/rfc2059.txt- Attributes field changes, and whenever a valid reply has been ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 7] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- received for a previous request. For retransmissions where the ../data/rfc/rfc2059.txt- contents are identical, the Identifier MUST remain unchanged. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Note that if Acct-Delay-Time is included in the attributes of an ../data/rfc/rfc2059.txt: Accounting-Request then the Acct-Delay-Time value will be updated ../data/rfc/rfc2059.txt- when the packet is retransmitted, changing the content of the ../data/rfc/rfc2059.txt- Attributes field and requiring a new Identifier and Request ../data/rfc/rfc2059.txt- Authenticator. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Request Authenticator ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The Request Authenticator of an Accounting-Request contains a 16- ../data/rfc/rfc2059.txt- octet MD5 hash value calculated according to the method described ../data/rfc/rfc2059.txt- in "Request Authenticator" above. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Attributes ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Attributes field is variable in length, and contains a list of ../data/rfc/rfc2059.txt- Attributes. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:4.2. Accounting-Response ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: Accounting-Response packets are sent by the RADIUS accounting ../data/rfc/rfc2059.txt: server to the client to acknowledge that the Accounting-Request ../data/rfc/rfc2059.txt: has been received and recorded successfully. If the Accounting- ../data/rfc/rfc2059.txt: Request was recorded successfully then the RADIUS accounting ../data/rfc/rfc2059.txt- server MUST transmit a packet with the Code field set to 5 ../data/rfc/rfc2059.txt: (Accounting-Response). On reception of an Accounting-Response by ../data/rfc/rfc2059.txt- the client, the Identifier field is matched with a pending ../data/rfc/rfc2059.txt: Accounting-Request. Invalid packets are silently discarded. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: A RADIUS Accounting-Response is not required to have any ../data/rfc/rfc2059.txt- attributes in it. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 8] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: A summary of the Accounting-Response packet format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 0 1 2 3 ../data/rfc/rfc2059.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc2059.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2059.txt- +-+-+-+-+-+-+-+-+-+-+-+-+- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Code ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: 5 for Accounting-Response. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Identifier ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Identifier field is a copy of the Identifier field of the ../data/rfc/rfc2059.txt: Accounting-Request which caused this Accounting-Response. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Response Authenticator ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: The Response Authenticator of an Accounting-Response contains a ../data/rfc/rfc2059.txt- 16-octet MD5 hash value calculated according to the method ../data/rfc/rfc2059.txt- described in "Response Authenticator" above. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Attributes ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- zero or more Attributes. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5. Attributes ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- RADIUS Attributes carry the specific authentication, authorization ../data/rfc/rfc2059.txt: and accounting details for the request and response. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Some attributes MAY be included more than once. The effect of this ../data/rfc/rfc2059.txt- is attribute specific, and is specified in each attribute ../data/rfc/rfc2059.txt- description. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 9] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the attribute format is shown below. The fields are ../data/rfc/rfc2059.txt- transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Length ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Length field is one octet, and indicates the length of this ../data/rfc/rfc2059.txt- attribute including the Type, Length and Value fields. If an ../data/rfc/rfc2059.txt: attribute is received in an Accounting-Request with an invalid ../data/rfc/rfc2059.txt- Length, the entire request should be silently discarded. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Value ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Value field is zero or more octets and contains information -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 10] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- string 0-253 octets ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- address 32 bit value, most significant octet first. -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.1. Acct-Status-Type ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: This attribute indicates whether this Accounting-Request marks the ../data/rfc/rfc2059.txt- beginning of the user service (Start) or the end (Stop). ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: It MAY be used by the client to mark the start of accounting (for ../data/rfc/rfc2059.txt: example, upon booting) by specifying Accounting-On and to mark the ../data/rfc/rfc2059.txt: end of accounting (for example, just before a scheduled reboot) by ../data/rfc/rfc2059.txt: specifying Accounting-Off. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Status-Type attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 0 1 2 3 -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 11] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Value ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Value field is four octets. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 1 Start ../data/rfc/rfc2059.txt- 2 Stop ../data/rfc/rfc2059.txt: 7 Accounting-On ../data/rfc/rfc2059.txt: 8 Accounting-Off ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.2. Acct-Delay-Time ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many seconds the client has been ../data/rfc/rfc2059.txt- trying to send this record for, and can be subtracted from the ../data/rfc/rfc2059.txt- time of arrival on the server to find the approximate time of the ../data/rfc/rfc2059.txt: event generating this Accounting-Request. (Network transit time ../data/rfc/rfc2059.txt- is ignored.) ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Note that changing the Acct-Delay-Time causes the Identifier to ../data/rfc/rfc2059.txt- change; see the discussion under Identifier above. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 12] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.3. Acct-Input-Octets ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many octets have been received from ../data/rfc/rfc2059.txt- the port over the course of this service being provided, and can ../data/rfc/rfc2059.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2059.txt- Status-Type is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Input-Octets attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many octets have been sent to the ../data/rfc/rfc2059.txt- port in the course of delivering this service, and can only be ../data/rfc/rfc2059.txt: present in Accounting-Request records where the Acct-Status-Type ../data/rfc/rfc2059.txt- is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 13] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Output-Octets attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.5. Acct-Session-Id ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: This attribute is a unique Accounting ID to make it easy to match ../data/rfc/rfc2059.txt- start and stop records in a log file. The start and stop records ../data/rfc/rfc2059.txt- for a given session MUST have the same Acct-Session-Id. It is ../data/rfc/rfc2059.txt- strongly recommended that the Acct-Session-Id be a printable ASCII ../data/rfc/rfc2059.txt- string. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 14] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Session-Id attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.6. Acct-Authentic ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: This attribute MAY be included in an Accounting-Request to ../data/rfc/rfc2059.txt- indicate how the user was authenticated, whether by RADIUS, the ../data/rfc/rfc2059.txt- NAS itself, or another remote authentication protocol. Users who ../data/rfc/rfc2059.txt- are delivered service without being authenticated SHOULD NOT ../data/rfc/rfc2059.txt: generate Accounting records. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Authentic attribute format is shown below. The ../data/rfc/rfc2059.txt- fields are transmitted from left to right. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 0 1 2 3 -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 15] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Length ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 6 -- ../data/rfc/rfc2059.txt-5.7. Acct-Session-Time ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many seconds the user has received ../data/rfc/rfc2059.txt: service for, and can only be present in Accounting-Request records ../data/rfc/rfc2059.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Session-Time attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 16] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.8. Acct-Input-Packets ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many packets have been received from ../data/rfc/rfc2059.txt- the port over the course of this service being provided to a ../data/rfc/rfc2059.txt: Framed User, and can only be present in Accounting-Request records ../data/rfc/rfc2059.txt- where the Acct-Status-Type is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Input-packets attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how many packets have been sent to the ../data/rfc/rfc2059.txt- port in the course of delivering this service to a Framed User, ../data/rfc/rfc2059.txt: and can only be present in Accounting-Request records where the ../data/rfc/rfc2059.txt- Acct-Status-Type is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 17] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Output-Packets attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt-5.10. Acct-Terminate-Cause ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute indicates how the session was terminated, and can ../data/rfc/rfc2059.txt: only be present in Accounting-Request records where the Acct- ../data/rfc/rfc2059.txt- Status-Type is set to Stop. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Terminate-Cause attribute format is shown ../data/rfc/rfc2059.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 18] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Length ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 6 -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 19] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Port Error NAS detected an error on the port which ../data/rfc/rfc2059.txt- required ending the session. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.11. Acct-Multi-Session-Id ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: This attribute is a unique Accounting ID to make it easy to link ../data/rfc/rfc2059.txt- together multiple related sessions in a log file. Each session ../data/rfc/rfc2059.txt- linked together would have a unique Acct-Session-Id but the same ../data/rfc/rfc2059.txt- Acct-Multi-Session-Id. It is strongly recommended that the Acct- ../data/rfc/rfc2059.txt- Multi-Session-Id be a printable ASCII string. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 20] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Session-Id attribute format is shown below. ../data/rfc/rfc2059.txt- The fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt-5.12. Acct-Link-Count ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Description ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- This attribute gives the count of links which are known to have ../data/rfc/rfc2059.txt: been in a given multilink session at the time the accounting ../data/rfc/rfc2059.txt- record is generated. The NAS MAY include the Acct-Link-Count ../data/rfc/rfc2059.txt: attribute in any Accounting-Request which might have multiple ../data/rfc/rfc2059.txt- links. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- A summary of the Acct-Link-Count attribute format is show below. The ../data/rfc/rfc2059.txt- fields are transmitted from left to right. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 21] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Length ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 6 -- ../data/rfc/rfc2059.txt- Value ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The Value field is four octets, and contains the number of links ../data/rfc/rfc2059.txt- seen so far in this Multilink Session. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: It may be used to make it easier for an accounting server to know ../data/rfc/rfc2059.txt- when it has all the records for a given Multilink session. When ../data/rfc/rfc2059.txt: the number of Accounting-Requests received with Acct-Status-Type = ../data/rfc/rfc2059.txt- Stop and the same Acct-Multi-Session-Id and unique Acct-Session- ../data/rfc/rfc2059.txt- Id's equals the largest value of Acct-Link-Count seen in those ../data/rfc/rfc2059.txt: Accounting-Requests, all Stop Accounting-Requests for that ../data/rfc/rfc2059.txt- Multilink Session have been received. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: An example showing 8 Accounting-Requests should make things ../data/rfc/rfc2059.txt- clearer. For clarity only the relevant attributes are shown, but ../data/rfc/rfc2059.txt: additional attributes containing accounting information will also ../data/rfc/rfc2059.txt: be present in the Accounting-Request. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Multi-Session-Id Session-Id Status-Type Link-Count ../data/rfc/rfc2059.txt- "10" "10" Start 1 ../data/rfc/rfc2059.txt- "10" "11" Start 2 ../data/rfc/rfc2059.txt- "10" "11" Stop 2 -- ../data/rfc/rfc2059.txt- "10" "10" Stop 4 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-5.13. Table of Attributes ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc2059.txt: in Accounting-Request packets. No attributes should be found in ../data/rfc/rfc2059.txt: Accounting-Response packets except Proxy-State and possibly Vendor- ../data/rfc/rfc2059.txt- Specific. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- # Attribute ../data/rfc/rfc2059.txt- 0-1 User-Name -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 22] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- 0-1 Framed-IP-Address ../data/rfc/rfc2059.txt- 0-1 Framed-IP-Netmask ../data/rfc/rfc2059.txt- 0-1 Framed-Routing -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 23] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: [4] An Accounting-Request MUST contain either a NAS-IP-Address or a ../data/rfc/rfc2059.txt- NAS-Identifier, and it is permitted (but not recommended) for it to ../data/rfc/rfc2059.txt- contain both. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The following table defines the above table entries. ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- 1 Exactly one instance of this attribute MUST be present. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Security Considerations ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- Security issues are briefly discussed in sections concerning the ../data/rfc/rfc2059.txt: authenticator included in accounting requests and responses, using a ../data/rfc/rfc2059.txt- shared secret which is never sent over the network. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-References ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- [1] Postel, J., "User Datagram Protocol", STD 6, RFC 768, -- ../data/rfc/rfc2059.txt- Authentication Dial In User Service (RADIUS)", RFC 2058, ../data/rfc/rfc2059.txt- January 1997. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Acknowledgments ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt: RADIUS and RADIUS Accounting were originally developed by Livingston ../data/rfc/rfc2059.txt- Enterprises for their PortMaster series of Network Access Servers. ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- -- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Rigney Informational [Page 24] ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt:RFC 2059 RADIUS Accounting January 1997 ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt-Chair's Address ../data/rfc/rfc2059.txt- ../data/rfc/rfc2059.txt- The RADIUS working group can be contacted via the current chair: -- ../data/rfc/rfc200.txt- (May NWG Meeting) ../data/rfc/rfc200.txt-White Typographical Error in RFC 107 28 April 1971 6708 132 ../data/rfc/rfc200.txt-Sundberg File Transfer and Recovery 27 April 1971 6710 133 ../data/rfc/rfc200.txt-Vezza Network Graphics Meeting 29 April 1971 6711 134 ../data/rfc/rfc200.txt-Hathaway Response to NWG/RFC 110 29 April 1971 6712 135 ../data/rfc/rfc200.txt:Kahn Host Accounting and 29 April 1971 6713 136 ../data/rfc/rfc200.txt- Administrative Procedures ../data/rfc/rfc200.txt-O'Sullivan TELNET Protocol -- 30 April 1971 6714 137 ../data/rfc/rfc200.txt- A Proposed Document ../data/rfc/rfc200.txt-O'Sullivan TELNET Protocol -- 8 May 1971 6783 137 ../data/rfc/rfc200.txt- A Proposed Document (rev.) rev -- ../data/rfc/rfc1012.txt- MIT-Project MAC, 29 April 1971. ../data/rfc/rfc1012.txt- ../data/rfc/rfc1012.txt- 135 - Hathaway, Wayne, "Response to NWG/RFC 110", RFC 135 (NIC 6712), ../data/rfc/rfc1012.txt- Ames Research Center, 29 April 1971. ../data/rfc/rfc1012.txt- ../data/rfc/rfc1012.txt: 136 - Kahn, Robert, "Host Accounting and Administrative Procedures", ../data/rfc/rfc1012.txt- RFC 136 (NIC 6713), BBN, 29 April 1971. ../data/rfc/rfc1012.txt- ../data/rfc/rfc1012.txt- 137 - O'Sullivan, Thomas C., "Telnet Protocol - A Proposed Document", ../data/rfc/rfc1012.txt- RFC 137 (NIC 6714), Raytheon, 30 April 1971, revised, ../data/rfc/rfc1012.txt- 8 May 1971. -- ../data/rfc/rfc5210.txt- use of spoofed source addresses. ../data/rfc/rfc5210.txt- ../data/rfc/rfc5210.txt- o Being able to assume that all packet source addresses are correct ../data/rfc/rfc5210.txt- would allow traceback to be accomplished accurately and with ../data/rfc/rfc5210.txt- confidence. This would benefit network diagnosis, management, ../data/rfc/rfc5210.txt: accounting, and applications. ../data/rfc/rfc5210.txt- ../data/rfc/rfc5210.txt- As part of the effort in developing a Source Address Validation ../data/rfc/rfc5210.txt- Architecture (SAVA), we implemented a SAVA prototype and deployed the ../data/rfc/rfc5210.txt- prototype in 12 ASes in an operational network as part of China Next ../data/rfc/rfc5210.txt- Generation Internet (CNGI) Project [Wu07]. We conducted evaluation -- ../data/rfc/rfc5470.txt- 13.1. Normative References .....................................30 ../data/rfc/rfc5470.txt- 13.2. Informative References ...................................30 ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt-1. Introduction ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt: There are several applications, e.g., usage-based accounting, traffic ../data/rfc/rfc5470.txt- profiling, traffic engineering, attack/intrusion detection, quality- ../data/rfc/rfc5470.txt- of-service (QoS) monitoring, that require Flow-based IP traffic ../data/rfc/rfc5470.txt- measurements. It is therefore important to have a standard way of ../data/rfc/rfc5470.txt- exporting information related to IP Flows. This document defines an ../data/rfc/rfc5470.txt- architecture for IP traffic Flow monitoring, measuring, and -- ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt-7. IPFIX Protocol Details ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt- When the IPFIX Working Group was chartered, there were existing ../data/rfc/rfc5470.txt- common practices in the area of Flow export, for example, NetFlow, ../data/rfc/rfc5470.txt: CRANE (Common Reliable Accounting for Network Element), LFAP (Light- ../data/rfc/rfc5470.txt- weight Flow Admission Protocol), RTFM (Real-time Traffic Flow ../data/rfc/rfc5470.txt- Measurement), etc. IPFIX's charter required the Working Group to ../data/rfc/rfc5470.txt- consider those existing practices, and select the one that was the ../data/rfc/rfc5470.txt- closest fit to the IPFIX requirements in RFC 3917 [1]. Additions or ../data/rfc/rfc5470.txt- modifications would then be made to the selected protocol to fit it -- ../data/rfc/rfc5470.txt- can make a clear interpretation of the received Flow Records. ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt-10. Security Considerations ../data/rfc/rfc5470.txt- ../data/rfc/rfc5470.txt- Flow information can be used for various purposes, such as usage- ../data/rfc/rfc5470.txt: based accounting, traffic profiling, traffic engineering, and ../data/rfc/rfc5470.txt- intrusion detection. The security requirements may differ ../data/rfc/rfc5470.txt- significantly for such applications. To be able to satisfy the ../data/rfc/rfc5470.txt- security needs of various IPFIX users, an IPFIX system must provide ../data/rfc/rfc5470.txt- different levels of security protection. ../data/rfc/rfc5470.txt- -- ../data/rfc/rfc7846.txt- 5.2. Management Considerations .................................40 ../data/rfc/rfc7846.txt- 5.2.1. Interoperability ...................................40 ../data/rfc/rfc7846.txt- 5.2.2. Management Information .............................40 ../data/rfc/rfc7846.txt- 5.2.3. Fault Management ...................................41 ../data/rfc/rfc7846.txt- 5.2.4. Configuration Management ...........................41 ../data/rfc/rfc7846.txt: 5.2.5. Accounting Management ..............................41 ../data/rfc/rfc7846.txt- 5.2.6. Performance Management .............................41 ../data/rfc/rfc7846.txt- 5.2.7. Security Management ................................41 ../data/rfc/rfc7846.txt- 6. Security Considerations ........................................42 ../data/rfc/rfc7846.txt- 6.1. Authentication between Tracker and Peers ..................42 ../data/rfc/rfc7846.txt- 6.2. Content Integrity Protection against Polluting -- ../data/rfc/rfc7846.txt- The management considerations for PPSTP are similar to other ../data/rfc/rfc7846.txt- solutions using HTTP for large-scale content distribution. The PPSP ../data/rfc/rfc7846.txt- tracker can be realized by geographically distributed tracker nodes ../data/rfc/rfc7846.txt- or multiple server nodes in a data center. As these nodes are akin ../data/rfc/rfc7846.txt- to WWW nodes, their configuration procedures, detection of faults, ../data/rfc/rfc7846.txt: measurement of performance, usage accounting, and security measures ../data/rfc/rfc7846.txt- can be achieved by standard solutions and facilities. ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt-5.2.1. Interoperability ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt- Interoperability refers to allowing information sharing and -- ../data/rfc/rfc7846.txt- tracker nodes or multiple server nodes in a data center, may benefit ../data/rfc/rfc7846.txt- from a standard way of replicating atomic configuration updates over ../data/rfc/rfc7846.txt- a set of server nodes. This functionality can be provided via ../data/rfc/rfc7846.txt- NETCONF [RFC6241]. ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt:5.2.5. Accounting Management ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt- PPSTP implementations, primarily in content provider environments, ../data/rfc/rfc7846.txt: can benefit from accounting standardization efforts as described in ../data/rfc/rfc7846.txt: [RFC2975], which indicates that accounting management is "concerned ../data/rfc/rfc7846.txt- with the collection of resource consumption data for the purposes of ../data/rfc/rfc7846.txt- capacity and trend analysis, cost allocation, auditing, and billing". ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt-5.2.6. Performance Management ../data/rfc/rfc7846.txt- -- ../data/rfc/rfc7846.txt- [RFC2790] Waldbusser, S. and P. Grillo, "Host Resources MIB", RFC ../data/rfc/rfc7846.txt- 2790, DOI 10.17487/RFC2790, March 2000, ../data/rfc/rfc7846.txt- <http://www.rfc-editor.org/info/rfc2790>. ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc7846.txt: Accounting Management", RFC 2975, DOI 10.17487/RFC2975, ../data/rfc/rfc7846.txt- October 2000, <http://www.rfc-editor.org/info/rfc2975>. ../data/rfc/rfc7846.txt- ../data/rfc/rfc7846.txt- [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, ../data/rfc/rfc7846.txt- "Introduction and Applicability Statements for Internet- ../data/rfc/rfc7846.txt- Standard Management Framework", RFC 3410, -- ../data/rfc/rfc8014.txt- Operations, Administration, and Maintenance (OAM) [RFC6291] framework ../data/rfc/rfc8014.txt- for overlay networks can draw from prior IETF OAM work for tunnel- ../data/rfc/rfc8014.txt- based networks, specifically L2VPN OAM [RFC6136]. RFC 6136 focuses ../data/rfc/rfc8014.txt- on Fault Management and Performance Management as fundamental to ../data/rfc/rfc8014.txt- L2VPN service delivery, leaving the Configuration Management, ../data/rfc/rfc8014.txt: Accounting Management, and Security Management components of the Open ../data/rfc/rfc8014.txt: Systems Interconnection (OSI) Fault, Configuration, Accounting, ../data/rfc/rfc8014.txt- Performance, and Security (FCAPS) taxonomy [M.3400] for further ../data/rfc/rfc8014.txt- study. This section does likewise for NVO3 OAM, but those three ../data/rfc/rfc8014.txt- areas continue to be important parts of complete OAM functionality ../data/rfc/rfc8014.txt- for NVO3. ../data/rfc/rfc8014.txt- -- ../data/rfc/rfc4375.txt- ../data/rfc/rfc4375.txt-3.7. MIB ../data/rfc/rfc4375.txt- ../data/rfc/rfc4375.txt- Management Information Bases (MIBs) SHOULD be defined for mechanisms ../data/rfc/rfc4375.txt- specifically in place to support ETS. These MIBs MAY include objects ../data/rfc/rfc4375.txt: representing accounting, policy, and authorization. ../data/rfc/rfc4375.txt- ../data/rfc/rfc4375.txt-4. Issues ../data/rfc/rfc4375.txt- ../data/rfc/rfc4375.txt- This section presents issues that arise in considering solutions for ../data/rfc/rfc4375.txt- the requirements that have been defined for stub domains that support -- ../data/rfc/rfc385.txt- ------- ------- ---- ../data/rfc/rfc385.txt- MAIL 350 450,451,500-506 ../data/rfc/rfc385.txt- Sec Reply 256 ../data/rfc/rfc385.txt- ../data/rfc/rfc385.txt- 15. An additional access control command called account (ACCT) ../data/rfc/rfc385.txt: is now defined to facilitate accounting in systems such as ../data/rfc/rfc385.txt- TENEX which require in addition to user and password, a ../data/rfc/rfc385.txt- separate account specification. The 'ACCT' command is ../data/rfc/rfc385.txt- different from the 'PASS' command in that it is not ../data/rfc/rfc385.txt- necessarily related to the 'USER' command and may arrive at ../data/rfc/rfc385.txt- any time. For example, a user may transfer different files -- ../data/rfc/rfc2748.txt- 2.2.10 Keep-Alive Timer Object (KATimer)..........................15 ../data/rfc/rfc2748.txt- 2.2.11 PEP Identification Object (PEPID)..........................16 ../data/rfc/rfc2748.txt- 2.2.12 Report-Type Object (Report-Type)...........................16 ../data/rfc/rfc2748.txt- 2.2.13 PDP Redirect Address (PDPRedirAddr)........................16 ../data/rfc/rfc2748.txt- 2.2.14 Last PDP Address (LastPDPAddr).............................17 ../data/rfc/rfc2748.txt: 2.2.15 Accounting Timer Object (AcctTimer)........................17 ../data/rfc/rfc2748.txt- 2.2.16 Message Integrity Object (Integrity).......................18 ../data/rfc/rfc2748.txt- 2.3 Communication.................................................19 ../data/rfc/rfc2748.txt- 2.4 Client Handle Usage...........................................21 ../data/rfc/rfc2748.txt- 2.5 Synchronization Behavior......................................21 ../data/rfc/rfc2748.txt- 3. Message Content................................................22 -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- decisions to the PEP to force changes in previously approved request ../data/rfc/rfc2748.txt- states. The PEP also has the capacity to report to the remote PDP ../data/rfc/rfc2748.txt- that it has successfully completed performing the PDP's decision ../data/rfc/rfc2748.txt: locally, useful for accounting and monitoring purposes. The PEP is ../data/rfc/rfc2748.txt- responsible for notifying the PDP when a request state has changed on ../data/rfc/rfc2748.txt- the PEP. Finally, the PEP is responsible for the deletion of any ../data/rfc/rfc2748.txt- state that is no longer applicable due to events at the client or ../data/rfc/rfc2748.txt- decisions issued by the server. ../data/rfc/rfc2748.txt- -- ../data/rfc/rfc2748.txt- 10 = Keep-Alive Timer ../data/rfc/rfc2748.txt- 11 = PEP Identification ../data/rfc/rfc2748.txt- 12 = Report Type ../data/rfc/rfc2748.txt- 13 = PDP Redirect Address ../data/rfc/rfc2748.txt- 14 = Last PDP Address ../data/rfc/rfc2748.txt: 15 = Accounting Timer ../data/rfc/rfc2748.txt- 16 = Message Integrity ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- C-type: 8 bits ../data/rfc/rfc2748.txt- Values defined per C-num. ../data/rfc/rfc2748.txt- -- ../data/rfc/rfc2748.txt- +--------------+--------------+--------------+--------------+ ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- Report-Type: ../data/rfc/rfc2748.txt- 1 = Success : Decision was successful at the PEP ../data/rfc/rfc2748.txt- 2 = Failure : Decision could not be completed by PEP ../data/rfc/rfc2748.txt: 3 = Accounting: Accounting update for an installed state ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-2.2.13 PDP Redirect Address (PDPRedirAddr) ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- A PDP when closing a PEP session for a particular client-type may ../data/rfc/rfc2748.txt- optionally use this object to redirect the PEP to the specified PDP -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- C-Type = 1, IPv4 Address (Same format as PDPRedirAddr) ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- C-Type = 2, IPv6 Address (Same format as PDPRedirAddr) ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt:2.2.15 Accounting Timer Object (AcctTimer) ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- Times are encoded as 2 octet integer values and are in units of ../data/rfc/rfc2748.txt- seconds. The timer value is treated as a delta. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- C-Num = 15, ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt: C-Type = 1, Accounting timer value ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-RFC 2748 COPS January 2000 ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- Optional timer value used to determine the minimum interval between ../data/rfc/rfc2748.txt: periodic accounting type reports. It is used by the PDP to describe ../data/rfc/rfc2748.txt: to the PEP an acceptable interval between unsolicited accounting ../data/rfc/rfc2748.txt- updates via Report messages where applicable. It provides a method ../data/rfc/rfc2748.txt: for the PDP to control the amount of accounting traffic seen by the ../data/rfc/rfc2748.txt- network. The range of finite time values is 1 to 65535 seconds ../data/rfc/rfc2748.txt- represented as an unsigned two-octet integer. A value of zero means ../data/rfc/rfc2748.txt: there SHOULD be no unsolicited accounting updates. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- 0 1 2 3 ../data/rfc/rfc2748.txt- +--------------+--------------+--------------+--------------+ ../data/rfc/rfc2748.txt- | ////////////// | ACCT Timer Value | ../data/rfc/rfc2748.txt- +--------------+--------------+--------------+--------------+ -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-3.3 Report State (RPT) PEP -> PDP ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- The RPT message is used by the PEP to communicate to the PDP its ../data/rfc/rfc2748.txt- success or failure in carrying out the PDP's decision, or to report ../data/rfc/rfc2748.txt: an accounting related change in state. The Report-Type specifies the ../data/rfc/rfc2748.txt- kind of report and the optional ClientSI can carry additional ../data/rfc/rfc2748.txt- information per Client-Type. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- For every DEC message containing a configuration context that is ../data/rfc/rfc2748.txt- received by a PEP, the PEP MUST generate a corresponding Report State -- ../data/rfc/rfc2748.txt- the same order as their corresponding Decision messages were ../data/rfc/rfc2748.txt- received. There MUST never be more than one Report State message ../data/rfc/rfc2748.txt- generated with the Solicited Message flag set per Decision. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- The Report State may also be used to provide periodic updates of ../data/rfc/rfc2748.txt: client specific information for accounting and state monitoring ../data/rfc/rfc2748.txt- purposes depending on the type of the client. In such cases the ../data/rfc/rfc2748.txt: accounting report type should be specified utilizing the appropriate ../data/rfc/rfc2748.txt- client specific information object. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- <Report State> ::== <Common Header> ../data/rfc/rfc2748.txt- <Client Handle> ../data/rfc/rfc2748.txt- <Report-Type> -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- The Client-Accept message is used to positively respond to the ../data/rfc/rfc2748.txt- Client-Open message. This message will return to the PEP a timer ../data/rfc/rfc2748.txt- object indicating the maximum time interval between keep-alive ../data/rfc/rfc2748.txt- messages. Optionally, a timer specifying the minimum allowed interval ../data/rfc/rfc2748.txt: between accounting report messages may be included when applicable. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- <Client-Accept> ::= <Common Header> ../data/rfc/rfc2748.txt- <KA Timer> ../data/rfc/rfc2748.txt- [<ACCT Timer>] ../data/rfc/rfc2748.txt- [<Integrity>] -- ../data/rfc/rfc2748.txt- between the generation of messages by the PDP and PEP. The timer ../data/rfc/rfc2748.txt- value is determined by the PDP and is specified in seconds. A timer ../data/rfc/rfc2748.txt- value of 0 implies no secondary connection verification is necessary. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- The optional ACCT Timer allows the PDP to indicate to the PEP that ../data/rfc/rfc2748.txt: periodic accounting reports SHOULD NOT exceed the specified timer ../data/rfc/rfc2748.txt- interval per client handle. This allows the PDP to control the rate ../data/rfc/rfc2748.txt: at which accounting reports are sent by the PEP (when applicable). ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-Durham, et al. Standards Track [Page 27] ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-RFC 2748 COPS January 2000 ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt: In general, accounting type Report messages are sent to the PDP when ../data/rfc/rfc2748.txt: determined appropriate by the PEP. The accounting timer merely is ../data/rfc/rfc2748.txt- used by the PDP to keep the rate of such updates in check (i.e. ../data/rfc/rfc2748.txt: Preventing the PEP from blasting the PDP with accounting reports). ../data/rfc/rfc2748.txt- Not including this object implies there are no PDP restrictions on ../data/rfc/rfc2748.txt: the rate at which accounting updates are generated. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- If the PEP receives a malformed Client-Accept message it MUST ../data/rfc/rfc2748.txt- generate a Client-Close message specifying the appropriate error ../data/rfc/rfc2748.txt- code. ../data/rfc/rfc2748.txt- -- ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- In all cases, the PEP MAY notify the remote PDP of the local status ../data/rfc/rfc2748.txt- of an installed state using the report message where appropriate. ../data/rfc/rfc2748.txt- The report message is to be used to signify when billing can begin, ../data/rfc/rfc2748.txt- what actions were taken, or to produce periodic updates for ../data/rfc/rfc2748.txt: monitoring and accounting purposes depending on the client. This ../data/rfc/rfc2748.txt- message can carry client specific information when needed. ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt-4.6 Keep-Alive Operations ../data/rfc/rfc2748.txt- ../data/rfc/rfc2748.txt- The Keep-Alive message is used to validate the connection between the -- ../data/rfc/rfc1015.txt- ../data/rfc/rfc1015.txt- This is not to say that agencies may not choose to have their ../data/rfc/rfc1015.txt- individual networks operated by the IRI, or even turned over to the ../data/rfc/rfc1015.txt- IRI if they determine that to be appropriate. ../data/rfc/rfc1015.txt- ../data/rfc/rfc1015.txt: Appropriate access control, privacy, and accounting mechanisms must ../data/rfc/rfc1015.txt- be incorporated. This includes access control to data, resources, ../data/rfc/rfc1015.txt: and the networks themselves, privacy of user data, and accounting ../data/rfc/rfc1015.txt- mechanisms to support both cost allocation and cost auditing [23]. ../data/rfc/rfc1015.txt- ../data/rfc/rfc1015.txt- The technical and adminstrative approach must allow (indeed ../data/rfc/rfc1015.txt- encourage) the incorporation of evolving technologies. In ../data/rfc/rfc1015.txt- particular, the network must evolve towards provision of high -- ../data/rfc/rfc3820.txt- ../data/rfc/rfc3820.txt-RFC 3820 X.509 Proxy Certificate Profile June 2004 ../data/rfc/rfc3820.txt- ../data/rfc/rfc3820.txt- ../data/rfc/rfc3820.txt- [i7] Neuman, B. Clifford, "Proxy-Based Authorization and ../data/rfc/rfc3820.txt: Accounting for Distributed Systems", In Proceedings of the ../data/rfc/rfc3820.txt- 13th International Conference on Distributed Computing ../data/rfc/rfc3820.txt- Systems, pages 283-291, May 1993. ../data/rfc/rfc3820.txt- ../data/rfc/rfc3820.txt- [i8] Narten, T. and H. Alvestrand. "Guidelines for Writing an IANA ../data/rfc/rfc3820.txt- Considerations Section in RFC", RFC 2434, October 1998. -- ../data/rfc/rfc5997.txt- 1.2. Terminology ................................................4 ../data/rfc/rfc5997.txt- 1.3. Requirements Language ......................................4 ../data/rfc/rfc5997.txt- 2. Overview ........................................................4 ../data/rfc/rfc5997.txt- 2.1. Why Access-Request is Inappropriate ........................6 ../data/rfc/rfc5997.txt- 2.1.1. Recommendation against Access-Request ...............7 ../data/rfc/rfc5997.txt: 2.2. Why Accounting-Request is Inappropriate ....................7 ../data/rfc/rfc5997.txt: 2.2.1. Recommendation against Accounting-Request ...........7 ../data/rfc/rfc5997.txt- 3. Packet Format ...................................................8 ../data/rfc/rfc5997.txt- 3.1. Single Definition for Status-Server .......................10 ../data/rfc/rfc5997.txt- 4. Implementation Notes ...........................................10 ../data/rfc/rfc5997.txt- 4.1. Client Requirements .......................................11 ../data/rfc/rfc5997.txt- 4.2. Server Requirements .......................................12 -- ../data/rfc/rfc5997.txt- 4.6.1. Interaction with RADIUS Server MIB Modules .........17 ../data/rfc/rfc5997.txt- 4.6.2. Interaction with RADIUS Client MIB Modules .........17 ../data/rfc/rfc5997.txt- 5. Table of Attributes ............................................18 ../data/rfc/rfc5997.txt- 6. Examples .......................................................19 ../data/rfc/rfc5997.txt- 6.1. Minimal Query to Authentication Port ......................19 ../data/rfc/rfc5997.txt: 6.2. Minimal Query to Accounting Port ..........................20 ../data/rfc/rfc5997.txt- 6.3. Verbose Query and Response ................................21 ../data/rfc/rfc5997.txt- 7. Security Considerations ........................................21 ../data/rfc/rfc5997.txt- 8. References .....................................................23 ../data/rfc/rfc5997.txt- 8.1. Normative References ......................................23 ../data/rfc/rfc5997.txt- 8.2. Informative References ....................................23 -- ../data/rfc/rfc5997.txt- Authenticator attribute to provide per-packet authentication and ../data/rfc/rfc5997.txt- integrity protection. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- With existing implementations of this protocol, the potential exists ../data/rfc/rfc5997.txt- for Status-Server requests to be in conflict with Access-Request or ../data/rfc/rfc5997.txt: Accounting-Request packets using the same Identifier. This ../data/rfc/rfc5997.txt- specification recommends techniques to avoid this problem. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- Authenticator (in IEEE 802.1X terminology) or RADIUS client. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- "RADIUS Proxy" ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- In order to provide for the routing of RADIUS authentication and ../data/rfc/rfc5997.txt: accounting requests, a RADIUS proxy can be employed. To the NAS, ../data/rfc/rfc5997.txt- the RADIUS proxy appears to act as a RADIUS server, and to the ../data/rfc/rfc5997.txt- RADIUS server, the proxy appears to act as a RADIUS client. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- "silently discard" ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- protection. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- RADIUS proxies or servers MUST NOT forward Status-Server packets. A ../data/rfc/rfc5997.txt- RADIUS server or proxy implementing this specification SHOULD respond ../data/rfc/rfc5997.txt- to a Status-Server packet with an Access-Accept (authentication port) ../data/rfc/rfc5997.txt: or Accounting-Response (accounting port). An Access-Challenge ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-DeKok Informational [Page 4] ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- response is NOT RECOMMENDED. An Access-Reject response MAY be used. ../data/rfc/rfc5997.txt- The list of attributes that are permitted in Status-Server packets, ../data/rfc/rfc5997.txt: and in Access-Accept or Accounting-Response packets responding to ../data/rfc/rfc5997.txt- Status-Server packets, is provided in Section 5. Section 6 provides ../data/rfc/rfc5997.txt- several examples. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Since a Status-Server packet MUST NOT be forwarded by a RADIUS proxy ../data/rfc/rfc5997.txt- or server, the client is provided with an indication of the status of -- ../data/rfc/rfc5997.txt- Note that it still may be useful to configure test users for the ../data/rfc/rfc5997.txt- purpose of performing end-to-end or in-depth testing of a server ../data/rfc/rfc5997.txt- policy. While this practice is widespread, we caution administrators ../data/rfc/rfc5997.txt- to use it with care. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt:2.2. Why Accounting-Request is Inappropriate ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- A similar solution for the problem of querying server status may be ../data/rfc/rfc5997.txt: for a NAS to send specially formed Accounting-Request packets to a ../data/rfc/rfc5997.txt: RADIUS server's accounting port. The NAS can then look for a ../data/rfc/rfc5997.txt- response and use this information to determine if the server is ../data/rfc/rfc5997.txt- active or unresponsive. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- As seen above with Access-Request, the server may then conclude that ../data/rfc/rfc5997.txt- a real user has logged onto a NAS, and perform local-site actions ../data/rfc/rfc5997.txt- that are undesirable for a simple status query. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Another consideration is that some attributes are mandatory to ../data/rfc/rfc5997.txt: include in an Accounting-Request. This requirement forces the ../data/rfc/rfc5997.txt: administrator to query an accounting server with fake values for ../data/rfc/rfc5997.txt- those attributes in a test packet. These fake values increase the ../data/rfc/rfc5997.txt- work required to perform a simple query, and they may pollute the ../data/rfc/rfc5997.txt: server's accounting database with incorrect data. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt:2.2.1. Recommendation against Accounting-Request ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- For the reasons outlined above, NAS implementors SHOULD NOT generate ../data/rfc/rfc5997.txt: Accounting-Request packets solely to see if a server is alive. ../data/rfc/rfc5997.txt: Similarly, site administrators SHOULD NOT configure accounting ../data/rfc/rfc5997.txt- policies whose sole reason for existence is to enable such queries ../data/rfc/rfc5997.txt: via Accounting-Request packets. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Note that it still may be useful to configure test users for the ../data/rfc/rfc5997.txt- purpose of performing end-to-end or in-depth testing of a server's ../data/rfc/rfc5997.txt- policy. While this practice is widespread, we caution administrators ../data/rfc/rfc5997.txt- to use it with care. -- ../data/rfc/rfc5997.txt- using the same method as that used for the Request Authenticator ../data/rfc/rfc5997.txt- field of Access-Request packets, as given below. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The role of the Identifier field is the same for Status-Server as for ../data/rfc/rfc5997.txt- other packets. However, as Status-Server is taking the role of ../data/rfc/rfc5997.txt: Access-Request or Accounting-Request packets, there is the potential ../data/rfc/rfc5997.txt- for Status-Server requests to be in conflict with Access-Request or ../data/rfc/rfc5997.txt: Accounting-Request packets with the same Identifier. In Section 4.2 ../data/rfc/rfc5997.txt- below, we describe a method for avoiding these problems. This method ../data/rfc/rfc5997.txt- MUST be used to avoid conflicts between Status-Server and other ../data/rfc/rfc5997.txt- packet types. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Request Authenticator -- ../data/rfc/rfc5997.txt-DeKok Informational [Page 8] ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: The Response Authenticator field of an Accounting-Response packet ../data/rfc/rfc5997.txt- sent in response to Status-Server queries MUST be generated using the ../data/rfc/rfc5997.txt- same method as used for calculating the Response Authenticator of the ../data/rfc/rfc5997.txt: Accounting-Response sent in response to an Accounting-Request, with ../data/rfc/rfc5997.txt- the Status-Server Request Authenticator taking the place of the ../data/rfc/rfc5997.txt: Accounting-Request Request Authenticator. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Note that when a server responds to a Status-Server request, it MUST ../data/rfc/rfc5997.txt- NOT send more than one Response packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Response Authenticator ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The value of the Authenticator field in Access-Accept or ../data/rfc/rfc5997.txt: Accounting-Response packets is called the Response ../data/rfc/rfc5997.txt- Authenticator, and contains a one-way MD5 hash calculated over ../data/rfc/rfc5997.txt- a stream of octets consisting of: the RADIUS packet, beginning ../data/rfc/rfc5997.txt- with the Code field, including the Identifier, the Length, the ../data/rfc/rfc5997.txt- Request Authenticator field from the Status-Server packet, and ../data/rfc/rfc5997.txt- the response Attributes (if any), followed by the shared -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Other attributes SHOULD NOT be included in a Status-Server packet, ../data/rfc/rfc5997.txt- and MUST be ignored if they are included. User authentication ../data/rfc/rfc5997.txt- credentials such as User-Name, User-Password, CHAP-Password, ../data/rfc/rfc5997.txt- EAP-Message MUST NOT appear in a Status-Server packet sent to a ../data/rfc/rfc5997.txt: RADIUS authentication port. User or NAS accounting attributes such ../data/rfc/rfc5997.txt- as Acct-Session-Id, Acct-Status-Type, Acct-Input-Octets MUST NOT ../data/rfc/rfc5997.txt: appear in a Status-Server packet sent to a RADIUS accounting port. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The Access-Accept MAY contain a Reply-Message or Message- ../data/rfc/rfc5997.txt- Authenticator attribute. It SHOULD NOT contain other attributes. ../data/rfc/rfc5997.txt: The Accounting-Response packets sent in response to a Status-Server ../data/rfc/rfc5997.txt- query SHOULD NOT contain any attributes. As the intent is to ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- implement a simple query instead of user authentication or ../data/rfc/rfc5997.txt: accounting, there is little reason to include other attributes in ../data/rfc/rfc5997.txt- either the query or the corresponding response. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Examples of Status-Server packet flows are given below in Section 6. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-3.1. Single Definition for Status-Server ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: When sent to a RADIUS accounting port, the contents of the Status- ../data/rfc/rfc5997.txt- Server packets are calculated as described above. That is, even ../data/rfc/rfc5997.txt: though the packets are being sent to an accounting port, they are not ../data/rfc/rfc5997.txt: created using the same method as is used for Accounting-Requests. ../data/rfc/rfc5997.txt- This difference has a number of benefits. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Having a single definition for Status-Server packets is simpler than ../data/rfc/rfc5997.txt- having different definitions for different destination ports. In ../data/rfc/rfc5997.txt- addition, if we were to define Status-Server as being similar to ../data/rfc/rfc5997.txt: Accounting-Request but containing no attributes, then those packets ../data/rfc/rfc5997.txt- could be trivially forged. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- We therefore define Status-Server consistently, and vary the response ../data/rfc/rfc5997.txt- packets depending on the port to which the request is sent. When ../data/rfc/rfc5997.txt- sent to an authentication port, the response to a Status-Server query ../data/rfc/rfc5997.txt: is an Access-Accept packet. When sent to an accounting port, the ../data/rfc/rfc5997.txt: response to a Status-Server query is an Accounting-Response packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-4. Implementation Notes ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- There are a number of considerations to take into account when ../data/rfc/rfc5997.txt- implementing support for Status-Server. This section describes ../data/rfc/rfc5997.txt- implementation details and requirements for RADIUS clients and ../data/rfc/rfc5997.txt- servers that support Status-Server. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: The following text applies to the authentication and accounting ../data/rfc/rfc5997.txt- ports. We use the generic terms below to simplify the discussion: ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- * Request packet ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- An Access-Request packet sent to an authentication port or an ../data/rfc/rfc5997.txt: Accounting-Request packet sent to an accounting port. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- * Response packet ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- An Access-Accept, Access-Challenge, or Access-Reject packet ../data/rfc/rfc5997.txt: sent from an authentication port or an Accounting-Response ../data/rfc/rfc5997.txt: packet sent from an accounting port. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- We also refer to "client" as the originator of the Status-Server ../data/rfc/rfc5997.txt- packet, and "server" as the receiver of that packet and the ../data/rfc/rfc5997.txt- originator of the Response packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Using generic terms to describe the Status-Server conversations is ../data/rfc/rfc5997.txt: simpler than duplicating the text for authentication and accounting ../data/rfc/rfc5997.txt- packets. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-4.1. Client Requirements ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Clients SHOULD permit administrators to globally enable or disable -- ../data/rfc/rfc5997.txt- Other clients MAY choose to send Status-Server requests from a unique ../data/rfc/rfc5997.txt- source port that is not used to send Request packets. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The above suggestion for a unique source port for Status-Server ../data/rfc/rfc5997.txt- packets aids in matching responses to requests. Since the response ../data/rfc/rfc5997.txt: to a Status-Server packet is an Access-Accept or Accounting-Response ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-DeKok Informational [Page 11] ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- field of the packet matters less than the fact that a valid, signed ../data/rfc/rfc5997.txt- response has been received. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- That is, prior to accepting the response as valid, the client should ../data/rfc/rfc5997.txt- check that the Response packet Code field is either Access-Accept (2) ../data/rfc/rfc5997.txt: or Accounting-Response (5). If the Code does not match any of these ../data/rfc/rfc5997.txt- values, the packet MUST be silently discarded. The client MUST then ../data/rfc/rfc5997.txt- validate the Response Authenticator via the algorithm given above in ../data/rfc/rfc5997.txt- Section 3. If the Response Authenticator is not valid, the packet ../data/rfc/rfc5997.txt- MUST be silently discarded. If the Response Authenticator is valid, ../data/rfc/rfc5997.txt- then the packet MUST be deemed to be a valid response from the -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- We note that [RFC2865], Section 3, defines a number of RADIUS Codes, ../data/rfc/rfc5997.txt- but does not make statements about which Codes are valid for ../data/rfc/rfc5997.txt- port 1812. In contrast, [RFC2866], Section 3, specifies that only ../data/rfc/rfc5997.txt: RADIUS Accounting packets are to be sent to port 1813. This ../data/rfc/rfc5997.txt- specification is compatible with [RFC2865], as it uses a known Code ../data/rfc/rfc5997.txt- for packets to port 1812. This specification is not compatible with ../data/rfc/rfc5997.txt- [RFC2866], as it adds a new Code (Status-Server) that is valid for ../data/rfc/rfc5997.txt- port 1812. However, as the category of [RFC2866] is Informational, ../data/rfc/rfc5997.txt- this conflict is acceptable. -- ../data/rfc/rfc5997.txt- connection to that database is down. Or, it may happen when the ../data/rfc/rfc5997.txt- accepted load on the server is lower than the offered load. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Some server implementations require that Access-Request packets be ../data/rfc/rfc5997.txt- accepted only on "authentication" ports (e.g., 1812/udp), and that ../data/rfc/rfc5997.txt: Accounting-Request packets be accepted only on "accounting" ports ../data/rfc/rfc5997.txt- (e.g., 1813/udp). Those implementations SHOULD reply to Status- ../data/rfc/rfc5997.txt- Server packets sent to an "authentication" port with an Access-Accept ../data/rfc/rfc5997.txt- packet and SHOULD reply to Status-Server packets sent to an ../data/rfc/rfc5997.txt: "accounting" port with an Accounting-Response packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-DeKok Informational [Page 13] ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Some server implementations accept both Access-Request and ../data/rfc/rfc5997.txt: Accounting-Request packets on the same port, and they do not ../data/rfc/rfc5997.txt: distinguish between "authentication only" ports and "accounting only" ../data/rfc/rfc5997.txt- ports. Those implementations SHOULD reply to Status-Server packets ../data/rfc/rfc5997.txt- with an Access-Accept packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The server MAY increment packet counters as a result of receiving a ../data/rfc/rfc5997.txt- Status-Server packet or sending a Response packet. The server SHOULD -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-4.3. Failover with Status-Server ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- A client may wish to "failover" from one proxy to another in the ../data/rfc/rfc5997.txt- event that it does not receive a response to an Access-Request or ../data/rfc/rfc5997.txt: Accounting-Request. In order to determine whether the lack of ../data/rfc/rfc5997.txt- response is due to a problem with the proxy or a downstream server, ../data/rfc/rfc5997.txt- the client can send periodic Status-Server packets to a proxy after ../data/rfc/rfc5997.txt- the lack of a response. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- These packets will help the client determine if the failure was due -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Once the server has been deemed responsive, normal RADIUS requests ../data/rfc/rfc5997.txt- may be sent to it again. This determination should be made ../data/rfc/rfc5997.txt- separately for each server with which the client has a relationship. ../data/rfc/rfc5997.txt- The same algorithm SHOULD be used for both authentication and ../data/rfc/rfc5997.txt: accounting ports. The client MUST treat each destination (IP, port) ../data/rfc/rfc5997.txt- combination as a unique server for the purposes of this ../data/rfc/rfc5997.txt- determination. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Clients SHOULD use a retransmission mechanism similar to that given ../data/rfc/rfc5997.txt- in Section 2.2.1 of [RFC5080]. If a reliable transport is used for -- ../data/rfc/rfc5997.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc5997.txt- in Status-Server packets, and in what quantity. Attributes other ../data/rfc/rfc5997.txt- than the ones listed below SHOULD NOT be found in a Status-Server ../data/rfc/rfc5997.txt- packet. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: Status- Access- Accounting- ../data/rfc/rfc5997.txt- Server Accept Response # Attribute ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- 0 0 0 1 User-Name ../data/rfc/rfc5997.txt- 0 0 0 2 User-Password ../data/rfc/rfc5997.txt- 0 0 0 3 CHAP-Password -- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-6. Examples ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- A few examples are presented to illustrate the flow of packets to ../data/rfc/rfc5997.txt: both the authentication and accounting ports. These examples are not ../data/rfc/rfc5997.txt- intended to be exhaustive; many others are possible. Hexadecimal ../data/rfc/rfc5997.txt- dumps of the example packets are given in network byte order, using ../data/rfc/rfc5997.txt- the shared secret "xyzzy5461". ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-6.1. Minimal Query to Authentication Port -- ../data/rfc/rfc5997.txt-DeKok Informational [Page 19] ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt:6.2. Minimal Query to Accounting Port ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The NAS sends a Status-Server UDP packet with minimal content to a ../data/rfc/rfc5997.txt- RADIUS server on port 1813. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- The Request Authenticator is a 16-octet random number generated by -- ../data/rfc/rfc5997.txt- the shared secret. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- 02 b3 00 14 0f 6f 92 14 5f 10 7e 2f 50 4e 86 0a ../data/rfc/rfc5997.txt- 48 60 66 9c ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: 1 Code = Accounting-Response (5) ../data/rfc/rfc5997.txt- 1 ID = 179 ../data/rfc/rfc5997.txt- 2 Length = 20 ../data/rfc/rfc5997.txt- 16 Request Authenticator ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Attributes: -- ../data/rfc/rfc5997.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc5997.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc5997.txt- RFC 2865, June 2000. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc5997.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, ../data/rfc/rfc5997.txt- "Randomness Requirements for Security", BCP 106, ../data/rfc/rfc5997.txt- RFC 4086, June 2005. ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- Dial In User Service (RADIUS) Implementation Issues and ../data/rfc/rfc5997.txt- Suggested Fixes", RFC 5080, December 2007. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-8.2. Informative References ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication ../data/rfc/rfc5997.txt- Dial In User Service) Support For Extensible ../data/rfc/rfc5997.txt- Authentication Protocol (EAP)", RFC 3579, September 2003. ../data/rfc/rfc5997.txt- -- ../data/rfc/rfc5997.txt- RFC 4668, August 2006. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", ../data/rfc/rfc5997.txt- RFC 4669, August 2006. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", ../data/rfc/rfc5997.txt- RFC 4670, August 2006. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-DeKok Informational [Page 23] ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-RFC 5997 Status-Server Practices August 2010 ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", ../data/rfc/rfc5997.txt- RFC 4671, August 2006. ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt-Acknowledgments ../data/rfc/rfc5997.txt- ../data/rfc/rfc5997.txt- Parts of the text in Section 3 defining the Request and Response -- ../data/rfc/rfc3600.txt--------- Transport Layer Security (TLS) Extensions 3546* ../data/rfc/rfc3600.txt--------- Enhanced Compressed RTP (CRTP) for Links with High 3545* ../data/rfc/rfc3600.txt- Delay, Packet Loss and Reordering ../data/rfc/rfc3600.txt-IPCOM-PPP IP Header Compression over PPP 3544* ../data/rfc/rfc3600.txt--------- Registration Revocation in Mobile IPv4 3543* ../data/rfc/rfc3600.txt:-------- Authentication, Authorization and Accounting (AAA) 3539* ../data/rfc/rfc3600.txt- Transport Profile ../data/rfc/rfc3600.txt--------- Wrapping a Hashed Message Authentication Code (HMAC) 3537* ../data/rfc/rfc3600.txt- key with a Triple-Data Encryption Standard ../data/rfc/rfc3600.txt- (DES) Key or an Advanced Encryption Standard (AES) ../data/rfc/rfc3600.txt- Key -- ../data/rfc/rfc3600.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc3600.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc3600.txt-ATM-TC-OID Definitions of Textual Conventions and OBJECT- 2514 ../data/rfc/rfc3600.txt- IDENTITIES for ATM Management ../data/rfc/rfc3600.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc3600.txt: and Storage of Accounting Information for ../data/rfc/rfc3600.txt- Connection-Oriented Networks ../data/rfc/rfc3600.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc3600.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc3600.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc3600.txt- Management Protocols ../data/rfc/rfc3600.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 ../data/rfc/rfc3600.txt- Links -- ../data/rfc/rfc3600.txt- Control Protocol Transport Mapping ../data/rfc/rfc3600.txt--------- Select and Sort Extensions for the Service Location 3421* ../data/rfc/rfc3600.txt- Protocol (SLP) ../data/rfc/rfc3600.txt--------- The Application Exchange (APEX) Presence Service 3343* ../data/rfc/rfc3600.txt--------- Dual Stack Hosts Using "Bump-in-the-API" (BIA) 3338 ../data/rfc/rfc3600.txt:-------- Policy-Based Accounting 3334 ../data/rfc/rfc3600.txt--------- PGM Reliable Transport Protocol Specification 3208 ../data/rfc/rfc3600.txt--------- Domain Security Services using S/MIME 3183 ../data/rfc/rfc3600.txt-SMX Script MIB Extensibility Protocol Version 1.1 3179 ../data/rfc/rfc3600.txt--------- ISO/IEC 9798-3 Authentication SASL Mechanism 3163 ../data/rfc/rfc3600.txt--------- Electronic Signature Policies 3125 -- ../data/rfc/rfc4216.txt- - Similarly, the inclusion of the RRO object in the Resv message ../data/rfc/rfc4216.txt- recording sub-objects such as interface IPv4/v6 address (if not ../data/rfc/rfc4216.txt- hidden), AS number, a label, a node-id (when required), etc. ../data/rfc/rfc4216.txt- - Inter-AS specific attributes as discussed in section 5 of this ../data/rfc/rfc4216.txt- document including, for example, inter-AS MPLS TE tunnel ../data/rfc/rfc4216.txt: accounting records across each AS segment. ../data/rfc/rfc4216.txt- ../data/rfc/rfc4216.txt-5.1.10.2. Inter-AS MPLS TE Fault Management Requirements ../data/rfc/rfc4216.txt- ../data/rfc/rfc4216.txt- In a MPLS network, an SP wants to detect both control plane and data ../data/rfc/rfc4216.txt- plane failures. But tools for fault detection over LSPs haven't been -- ../data/rfc/rfc740.txt-RFC 740 RTB 42423 22 Nov 77 ../data/rfc/rfc740.txt-NETRJS Protocol ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt: system and accounting messages will be sent. ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt- (b) On an input channel, CAN causes RJS to ignore ../data/rfc/rfc740.txt- the job currently being read. However, the channel ../data/rfc/rfc740.txt- is not aborted as a result, and RJS will continue ../data/rfc/rfc740.txt- reading in jobs on the channel. -- ../data/rfc/rfc740.txt- the compressed format for printer and punch output. See ../data/rfc/rfc740.txt- Reference 9 for discussion of the virtues of compression. ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt- 2. Automatic Coldstart Job Resubmission ../data/rfc/rfc740.txt- ../data/rfc/rfc740.txt: If "R" (Restart) is specified in the accounting field on the ../data/rfc/rfc740.txt- JOB card and if this option is chosen, RJS will automatically ../data/rfc/rfc740.txt- resubmit the job from the beginning if the server operating ../data/rfc/rfc740.txt- system should be "coldstarted" before all output from the job ../data/rfc/rfc740.txt- is returned. Otherwise, the job will be lost and must be ../data/rfc/rfc740.txt- resubmitted from the remote terminal in case of a coldstart. -- ../data/rfc/rfc6581.txt- 4.1. Standardization of RDMA Read Parameter Configuration .......7 ../data/rfc/rfc6581.txt- 4.2. Enabling MPA Mode ..........................................9 ../data/rfc/rfc6581.txt- 4.3. Lack of Explicit RTR in MPA Request/Reply Exchange ........10 ../data/rfc/rfc6581.txt- 4.4. Limitations on ULP Workaround .............................11 ../data/rfc/rfc6581.txt- 4.4.1. Transport Neutral APIs .............................11 ../data/rfc/rfc6581.txt: 4.4.2. Work/Completion Queue Accounting ...................11 ../data/rfc/rfc6581.txt- 4.4.3. Host-based Implementation of MPA Fencing ...........12 ../data/rfc/rfc6581.txt- 5. Enhanced MPA Connection Establishment ..........................13 ../data/rfc/rfc6581.txt- 6. Enhanced MPA Request/Reply Frames ..............................14 ../data/rfc/rfc6581.txt- 7. Enhanced SCTP Session Control Chunks ...........................15 ../data/rfc/rfc6581.txt- 8. MPA Error Reporting ............................................16 -- ../data/rfc/rfc6581.txt- There are three factors that make this workaround unsuitable for many ../data/rfc/rfc6581.txt- peer-to-peer applications: ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt- o Transport-Neutral APIs. ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt: o Work/Completion Queue Accounting. ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt- o Host-based implementation of MPA Fencing. ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt-4.4.1. Transport-Neutral APIs ../data/rfc/rfc6581.txt- -- ../data/rfc/rfc6581.txt- transport-neutral RDMA operations, allowing lower software layers to ../data/rfc/rfc6581.txt- translate to transport and device specifics. Having a distinct extra ../data/rfc/rfc6581.txt- message that is required only for one transport undermines the ../data/rfc/rfc6581.txt- application's goal of being transport neutral. ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt:4.4.2. Work/Completion Queue Accounting ../data/rfc/rfc6581.txt- ../data/rfc/rfc6581.txt- RDMA local APIs conventionally use Work Queues to submit requests ../data/rfc/rfc6581.txt- (Work Queue elements or WQEs) and to asynchronously receive ../data/rfc/rfc6581.txt- completions (in Completion Queues or CQs). ../data/rfc/rfc6581.txt- -- ../data/rfc/rfc5608.txt- passwords (with the User-Password Attribute), but other secure ../data/rfc/rfc5608.txt- transports could use other authentication mechanisms, and would ../data/rfc/rfc5608.txt- include RADIUS authentication attributes appropriate for that ../data/rfc/rfc5608.txt- mechanism instead of User-Password. ../data/rfc/rfc5608.txt- ../data/rfc/rfc5608.txt: This document does not describe the usage of RADIUS Accounting or ../data/rfc/rfc5608.txt- Dynamic RADIUS Re-Authorization. Such RADIUS usages are not ../data/rfc/rfc5608.txt- currently envisioned for SNMP, and are beyond the scope of this ../data/rfc/rfc5608.txt- document. ../data/rfc/rfc5608.txt- ../data/rfc/rfc5608.txt- -- ../data/rfc/rfc6158.txt- Documents" [RFC4181], it is expected that authors will check their ../data/rfc/rfc6158.txt- document against the guidelines in this document prior to publication ../data/rfc/rfc6158.txt- or requesting review (such as an "Expert Review" described in ../data/rfc/rfc6158.txt- [RFC3575]). Similarly, it is expected that this document will be ../data/rfc/rfc6158.txt- used by reviewers (such as WG participants or the Authentication, ../data/rfc/rfc6158.txt: Authorization, and Accounting (AAA) Doctors [DOCTORS]), resulting in ../data/rfc/rfc6158.txt- an improvement in the consistency of reviews. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- In order to meet these objectives, this document needs to cover not ../data/rfc/rfc6158.txt- only the science of attribute design but also the art. Therefore, in ../data/rfc/rfc6158.txt- addition to covering the most frequently encountered issues, this -- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- Network Access Server (NAS) ../data/rfc/rfc6158.txt- A device that provides an access service for a user to a network. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- RADIUS server ../data/rfc/rfc6158.txt: A RADIUS authentication, authorization, and accounting (AAA) ../data/rfc/rfc6158.txt- server is an entity that provides one or more AAA services to a ../data/rfc/rfc6158.txt- NAS. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- Standard space ../data/rfc/rfc6158.txt- Codes in the RADIUS Attribute Type Space that are allocated by -- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt-1.3. Applicability ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- The advice in this document applies to RADIUS attributes used to ../data/rfc/rfc6158.txt: encode service-provisioning, authentication, or accounting data based ../data/rfc/rfc6158.txt- on the attribute encodings and data formats defined in RFC 2865 ../data/rfc/rfc6158.txt- [RFC2865], RFC 2866 [RFC2866], and subsequent RADIUS RFCs. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- Since this document represents a Best Current Practice, it does not ../data/rfc/rfc6158.txt- update or deprecate existing standards. As a result, uses of the -- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt-2. Guidelines ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- The RADIUS protocol as defined in [RFC2865] and [RFC2866] uses ../data/rfc/rfc6158.txt- elements known as attributes in order to represent authentication, ../data/rfc/rfc6158.txt: authorization, and accounting data. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- -- ../data/rfc/rfc6158.txt- fragmented UDP packets, making it difficult to deploy RADIUS in a ../data/rfc/rfc6158.txt- network where those devices are deployed. We RECOMMEND that RADIUS ../data/rfc/rfc6158.txt- messages be kept as small possible. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- If a situation is envisaged where it may be necessary to carry ../data/rfc/rfc6158.txt: authentication, authorization, or accounting data in a packet larger ../data/rfc/rfc6158.txt- than 4096 octets, then one of the following approaches is ../data/rfc/rfc6158.txt- RECOMMENDED: ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- 1. Utilization of a sequence of packets. ../data/rfc/rfc6158.txt- For RADIUS authentication, a sequence of Access- -- ../data/rfc/rfc6158.txt- Filter-Rule Attribute defined in [RFC4849] is not permitted in ../data/rfc/rfc6158.txt- an Access-Challenge packet, nor is a mechanism specified to ../data/rfc/rfc6158.txt- allow a set of NAS-Filter-Rule Attributes to be split across ../data/rfc/rfc6158.txt- an Access-Request/Access-Challenge sequence. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt: In the case of RADIUS accounting, transporting large amounts ../data/rfc/rfc6158.txt: of data would require a sequence of Accounting-Request ../data/rfc/rfc6158.txt- packets. This is a non-trivial change to RADIUS, since RADIUS ../data/rfc/rfc6158.txt: accounting clients would need to be modified to split the ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt-DeKok & Weber Best Current Practice [Page 13] ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt-RFC 6158 RADIUS Design Guidelines March 2011 ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt: attribute stream across multiple Accounting-Requests, and ../data/rfc/rfc6158.txt- billing servers would need to be modified to reassemble and ../data/rfc/rfc6158.txt- interpret the attribute stream. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- 2. Utilization of names rather than values. ../data/rfc/rfc6158.txt- Where an attribute relates to a policy that could conceivably -- ../data/rfc/rfc6158.txt- guidelines for Expert Reviewers appointed as described in [RFC3575]. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt-5. Security Considerations ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- This specification provides guidelines for the design of RADIUS ../data/rfc/rfc6158.txt: attributes used in authentication, authorization, and accounting. ../data/rfc/rfc6158.txt- Threats and security issues for this application are described in ../data/rfc/rfc6158.txt- [RFC3579] and [RFC3580]; security issues encountered in roaming are ../data/rfc/rfc6158.txt- described in [RFC2607]. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- Obfuscation of RADIUS attributes on a per-attribute basis is -- ../data/rfc/rfc6158.txt- Attributes", RFC 2548, March 1999. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy ../data/rfc/rfc6158.txt- Implementation in Roaming", RFC 2607, June 1999. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc6158.txt- Holdrege, M., and I. Goyret, "RADIUS Attributes for ../data/rfc/rfc6158.txt- Tunnel Protocol Support", RFC 2868, June 2000. ../data/rfc/rfc6158.txt- -- ../data/rfc/rfc6158.txt- This restriction includes new commands created by overloading ../data/rfc/rfc6158.txt- the Service-Type Attribute to define new values that modify the ../data/rfc/rfc6158.txt- functionality of Access-Request packets. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- * Using RADIUS as a transport protocol for data unrelated to ../data/rfc/rfc6158.txt: authentication, authorization, or accounting. ../data/rfc/rfc6158.txt- Using RADIUS to transport authentication methods such as EAP is ../data/rfc/rfc6158.txt- explicitly permitted, even if those methods require the ../data/rfc/rfc6158.txt- transport of relatively large amounts of data. Transport of ../data/rfc/rfc6158.txt- opaque data relating to AAA is also permitted, as discussed in ../data/rfc/rfc6158.txt- Section 3.2.3. However, if the specification does not relate to -- ../data/rfc/rfc6158.txt- optionally other information. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- For example, "28800 V42BIS/LAPM" or "52000/31200 V90" ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- More than one Connect-Info attribute may be present in an ../data/rfc/rfc6158.txt: Accounting-Request packet to accommodate expected efforts by ITU ../data/rfc/rfc6158.txt- to have modems report more connection information in a standard ../data/rfc/rfc6158.txt- format that might exceed 252 octets. ../data/rfc/rfc6158.txt- ../data/rfc/rfc6158.txt- This attribute contains no encrypted component and is not directly ../data/rfc/rfc6158.txt- involved in authentication. The individual sub-fields could -- ../data/rfc/rfc5394.txt- - Support for many policies ../data/rfc/rfc5394.txt- The mechanisms must include support for many policies and policy ../data/rfc/rfc5394.txt- configurations. In general, the determination and configuration of ../data/rfc/rfc5394.txt- viable policies are the responsibility of the service provider. ../data/rfc/rfc5394.txt- ../data/rfc/rfc5394.txt: - Provision for monitoring and accounting information ../data/rfc/rfc5394.txt- The mechanisms must include support for monitoring policy state and ../data/rfc/rfc5394.txt- provide access information. In particular, mechanisms must provide ../data/rfc/rfc5394.txt: usage and access information that may be used for accounting ../data/rfc/rfc5394.txt- purposes. ../data/rfc/rfc5394.txt- ../data/rfc/rfc5394.txt- - Fault tolerance and recovery ../data/rfc/rfc5394.txt- The mechanisms must include provisions for fault tolerance and ../data/rfc/rfc5394.txt- recovery from failure cases such as failure of PCC/PCE PDPs, -- ../data/rfc/rfc1935.txt- ../data/rfc/rfc1935.txt-Starting at the Center ../data/rfc/rfc1935.txt- ../data/rfc/rfc1935.txt- For real confusion, start trying to get agreement on what is part of ../data/rfc/rfc1935.txt- the Internet: NSFNET? CIX? Your company's internal network? ../data/rfc/rfc1935.txt: Prodigy? FidoNet? The mainframe in accounting? Some people would ../data/rfc/rfc1935.txt- include all of the above, and perhaps even consider excluding ../data/rfc/rfc1935.txt- anything politically incorrect. Others have cast doubts on each of ../data/rfc/rfc1935.txt- the above. ../data/rfc/rfc1935.txt- ../data/rfc/rfc1935.txt- Let's start some place almost everyone would agree is on the -- ../data/rfc/rfc1935.txt- In addition to computers and networks that fit these classifications, ../data/rfc/rfc1935.txt- there are also LANs, mainframes, and BBSes that don't exchange any ../data/rfc/rfc1935.txt- services with other networks or computers; not even mail. These ../data/rfc/rfc1935.txt- systems are outside the Matrix. For example, many companies have an ../data/rfc/rfc1935.txt- AppleTalk LAN in marketing, a Novell NetWare LAN in management, and a ../data/rfc/rfc1935.txt: mainframe in accounting that aren't connected to talk to anything ../data/rfc/rfc1935.txt- else. In addition, there are a few large networks such as France's ../data/rfc/rfc1935.txt- Teletel (commonly known as Minitel) that support very large user ../data/rfc/rfc1935.txt- populations but don't communicate with anything else. These are all ../data/rfc/rfc1935.txt- currently outside all our Chinese boxes of the core Internet, the ../data/rfc/rfc1935.txt- consumer Internet, and the Matrix. -- ../data/rfc/rfc532.txt- on any of our 7 or 9-track tape drives. Each individual file ../data/rfc/rfc532.txt- transfer is handled by a separate process on the B6700 and the user ../data/rfc/rfc532.txt- is charged for the processor, I/O, core, and (if any) tape charges ../data/rfc/rfc532.txt- incurred by this process (note that these charges are quite minimal). ../data/rfc/rfc532.txt- Each of these transfer processes is given a separate "job" number and ../data/rfc/rfc532.txt: is therefore billed separately for each transfer by our accounting ../data/rfc/rfc532.txt- system. ../data/rfc/rfc532.txt- ../data/rfc/rfc532.txt- Please note that we have implemented FTP as defined in RFC# 354 (July ../data/rfc/rfc532.txt- 8, 1972) except as noted. ../data/rfc/rfc532.txt- -- ../data/rfc/rfc1674.txt- commercial users. Security services which may optionally be expected ../data/rfc/rfc1674.txt- from a Layer 3 entity such as IPng include peer entity ../data/rfc/rfc1674.txt- authentication, data confidentiality, traffic flow confidentiality, ../data/rfc/rfc1674.txt- data integrity and location confidentiality. ../data/rfc/rfc1674.txt- ../data/rfc/rfc1674.txt:Accounting ../data/rfc/rfc1674.txt- ../data/rfc/rfc1674.txt: The ability to do accounting at Layer 3 is a requirement. The CDPD ../data/rfc/rfc1674.txt: specification can be used as a model of the type of accounting ../data/rfc/rfc1674.txt- services that we need. ../data/rfc/rfc1674.txt- ../data/rfc/rfc1674.txt- ../data/rfc/rfc1674.txt- ../data/rfc/rfc1674.txt- -- ../data/rfc/rfc3583.txt-3.4. Standard requirements ../data/rfc/rfc3583.txt- ../data/rfc/rfc3583.txt- The QoS solution for Mobile IP SHOULD satisfy standard requirements ../data/rfc/rfc3583.txt- such as scalability, security, conservation of wireless bandwidth, ../data/rfc/rfc3583.txt- low processing overhead on mobile terminals, providing hooks for ../data/rfc/rfc3583.txt: authorization and accounting, and robustness against failures of any ../data/rfc/rfc3583.txt- Mobile IP-specific QoS components in the network. While it is not ../data/rfc/rfc3583.txt- possible to set quantitative targets for these desirable properties, ../data/rfc/rfc3583.txt- the QoS solution MUST be evaluated against these criteria. ../data/rfc/rfc3583.txt- ../data/rfc/rfc3583.txt-4. Security Considerations -- ../data/rfc/rfc1306.txt- We developed our support for circuit switched services around a ../data/rfc/rfc1306.txt- simple model of a switched network. At some point in the path ../data/rfc/rfc1306.txt- between two hosts, there is a switched network connection. This ../data/rfc/rfc1306.txt- connection is likely to connect two enterprise networks operated by ../data/rfc/rfc1306.txt- the same organization. Administrative overlap between the two ../data/rfc/rfc1306.txt: networks is useful for accounting and configuration purposes. We ../data/rfc/rfc1306.txt- believe that with further investigation circuit switched network ../data/rfc/rfc1306.txt- support could be extended to multiple switched links in an internet ../data/rfc/rfc1306.txt- environment. ../data/rfc/rfc1306.txt- ../data/rfc/rfc1306.txt- The switch which makes the network connection operates on a "by- -- ../data/rfc/rfc1306.txt- bandwidth interactive traffic, change the type-of-service (thus ../data/rfc/rfc1306.txt- activating the switched connection) for bulk transfers, and then ../data/rfc/rfc1306.txt- release the switch upon returning to interactive traffic. ../data/rfc/rfc1306.txt- ../data/rfc/rfc1306.txt- Putting this feature into the kernel also allows strong control over ../data/rfc/rfc1306.txt: when and how the switched link can be used, keeping accounting ../data/rfc/rfc1306.txt- information, and limiting multiple use access to the switched link. ../data/rfc/rfc1306.txt- ../data/rfc/rfc1306.txt- The disadvantage is that significant kernel modifications are ../data/rfc/rfc1306.txt- required, and some implementation details can be very difficult to ../data/rfc/rfc1306.txt- handle. -- ../data/rfc/rfc7933.txt- at the proper level. Therefore, there is a need to either include ../data/rfc/rfc7933.txt- some location semantics in the data chunks so as to properly ../data/rfc/rfc7933.txt- assess the throughput to a specific location or to design a ../data/rfc/rfc7933.txt- different mechanism to evaluate the available network bandwidth. ../data/rfc/rfc7933.txt- ../data/rfc/rfc7933.txt: o The typical issue of access control and accounting happens in this ../data/rfc/rfc7933.txt- context, where chunks can be cached in the network outside of the ../data/rfc/rfc7933.txt- administrative control of the content publisher. It might be a ../data/rfc/rfc7933.txt- requirement from the owner of the video stream that access to ../data/rfc/rfc7933.txt- these data chunks needs to be accounted/billed/monitored. ../data/rfc/rfc7933.txt- -- ../data/rfc/rfc7933.txt- ../data/rfc/rfc7933.txt-8. Digital Rights Management in ICN ../data/rfc/rfc7933.txt- ../data/rfc/rfc7933.txt- This section discusses the need for DRM functionalities for ../data/rfc/rfc7933.txt- multimedia streaming over ICN. It focuses on two possible ../data/rfc/rfc7933.txt: approaches: modifying Authentication, Authorization, and Accounting ../data/rfc/rfc7933.txt- (AAA) to support DRM in ICN and using Broadcast Encryption. ../data/rfc/rfc7933.txt- ../data/rfc/rfc7933.txt- It is assumed that ICN will be used heavily for digital content ../data/rfc/rfc7933.txt- dissemination. It is vital to consider DRM for digital content ../data/rfc/rfc7933.txt- distribution. In today's Internet, there are two predominant classes -- ../data/rfc/rfc1752.txt- industries that many feel will be the major providers of data ../data/rfc/rfc1752.txt- networking services in the future; the cable TV industry [Vecchi94], ../data/rfc/rfc1752.txt- the cellular industry [Taylor94], and the electric power industry ../data/rfc/rfc1752.txt- [Skelton94]. In addition, we received papers that dealt with ../data/rfc/rfc1752.txt- military applications [Adam94, Syming94, Green94], ATM [Brazd94], ../data/rfc/rfc1752.txt: mobility [Simpson94], accounting [Brown94], routing [Estrin94a, ../data/rfc/rfc1752.txt- Chiappa94], security [Adam94, Bell94b, Brit94, Green94, Vecchi94, ../data/rfc/rfc1752.txt- Flei94], large corporate networking [Britt94, Fleisch94], transition ../data/rfc/rfc1752.txt- [Carpen94a, Heager94], market acceptance [Curran94, Britt94], host ../data/rfc/rfc1752.txt- implementations [Bound94], as well as a number of other issues. ../data/rfc/rfc1752.txt- [Bello94a, Clark94, Ghisel94] -- ../data/rfc/rfc1752.txt- Bellcore, August 1994. ../data/rfc/rfc1752.txt- ../data/rfc/rfc1752.txt- [Britt94] Britton, E., and J. Tavs, "IPng Requirements of Large ../data/rfc/rfc1752.txt- Corporate Networks", RFC 1678, IBM, August 1994. ../data/rfc/rfc1752.txt- ../data/rfc/rfc1752.txt: [Brownl94] Brownlee, J., "Accounting Requirements for IPng", RFC ../data/rfc/rfc1752.txt- 1672, University of Auckland, August 1994. ../data/rfc/rfc1752.txt- ../data/rfc/rfc1752.txt- [Carpen94a] Carpenter, B., "IPng White Paper on Transition and Other ../data/rfc/rfc1752.txt- Considerations", RFC 1671, CERN, August 1994. ../data/rfc/rfc1752.txt- -- ../data/rfc/rfc3512.txt- information an agent will expose. ../data/rfc/rfc3512.txt- ../data/rfc/rfc3512.txt- MIB modules can be thought of as logical models providing one or more ../data/rfc/rfc3512.txt- aspects/views of a subsystem. The objective for all MIB modules ../data/rfc/rfc3512.txt- should be to serve one or more operational requirements such as ../data/rfc/rfc3512.txt: accounting information collection, configuration of one or more parts ../data/rfc/rfc3512.txt- of a system, or fault identification. However, it is important to ../data/rfc/rfc3512.txt- include only those aspects of a subsystem that are proven to be ../data/rfc/rfc3512.txt- operationally useful. ../data/rfc/rfc3512.txt- ../data/rfc/rfc3512.txt- In 1993, one of most widely deployed MIB modules supporting -- ../data/rfc/rfc3512.txt- the function they perform. For example the objects that control ../data/rfc/rfc3512.txt- configuration in the example MIB module in Section 8 include "Cfg" as ../data/rfc/rfc3512.txt- part of the object descriptor, as in bldgHVACCfgDesiredTemp. ../data/rfc/rfc3512.txt- ../data/rfc/rfc3512.txt- This is more fully realized when the object descriptors that include ../data/rfc/rfc3512.txt: the fault, configuration, accounting, performance and security [33] ../data/rfc/rfc3512.txt- abbreviations are combined with an organized OID assignment approach. ../data/rfc/rfc3512.txt- For example, a vendor could create a configuration branch in their ../data/rfc/rfc3512.txt- private enterprises area. In some cases this might be best done on a ../data/rfc/rfc3512.txt- per product basis. Whatever the approach used, "Cfg" might be ../data/rfc/rfc3512.txt- included in every object descriptor in the configuration branch. -- ../data/rfc/rfc2199.txt-Ramos Informational [Page 13] ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt-RFC 2199 Summary of 2100-2199 January 1998 ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt:2139 Rigney Apr 97 RADIUS Accounting ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt:This document describes a protocol for carrying accounting information ../data/rfc/rfc2199.txt:between a Network Access Server and a shared Accounting Server. This ../data/rfc/rfc2199.txt-memo provides information for the Internet community. This memo does ../data/rfc/rfc2199.txt-not specify an Internet standard of any kind. ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt- ../data/rfc/rfc2199.txt-2138 Rigney Apr 97 Remote Authentication Dial In User -- ../data/rfc/rfc4565.txt- M., Hares, S., and N. Cam Winget, "Light Weight Access ../data/rfc/rfc4565.txt- Point Protocol (LWAPP)", Work in Progress, March 2005. ../data/rfc/rfc4565.txt- ../data/rfc/rfc4565.txt- [RFC3127] Mitton, D., St.Johns, M., Barkley, S., Nelson, D., Patil, ../data/rfc/rfc4565.txt- B., Stevens, M., and B. Wolff, "Authentication, ../data/rfc/rfc4565.txt: Authorization, and Accounting: Protocol Evaluation", RFC ../data/rfc/rfc4565.txt- 3127, June 2001. ../data/rfc/rfc4565.txt- ../data/rfc/rfc4565.txt- [SLAPP] Narasimhan, P., Harkins, D., and S. Ponnuswamy, "SLAPP : ../data/rfc/rfc4565.txt- Secure Light Access Point Protocol", Work in Progress, May ../data/rfc/rfc4565.txt- 2005. -- ../data/rfc/rfc5637.txt- R. Lopez ../data/rfc/rfc5637.txt- University of Murcia ../data/rfc/rfc5637.txt- September 2009 ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt: Authentication, Authorization, and Accounting (AAA) Goals ../data/rfc/rfc5637.txt- for Mobile IPv6 ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt-Abstract ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt- In commercial and enterprise deployments, Mobile IPv6 can be a ../data/rfc/rfc5637.txt- service offered by a Mobility Services Provider (MSP). In this case, ../data/rfc/rfc5637.txt- all protocol operations may need to be explicitly authorized and ../data/rfc/rfc5637.txt- traced, requiring the interaction between Mobile IPv6 and the AAA ../data/rfc/rfc5637.txt- infrastructure. Integrating the Authentication, Authorization, and ../data/rfc/rfc5637.txt: Accounting (AAA) infrastructure (e.g., Network Access Server and AAA ../data/rfc/rfc5637.txt- server) also offers a solution component for Mobile IPv6 ../data/rfc/rfc5637.txt- bootstrapping. This document describes various scenarios where a AAA ../data/rfc/rfc5637.txt- interface for Mobile IPv6 is required. Additionally, it lists design ../data/rfc/rfc5637.txt- goals and requirements for such an interface. ../data/rfc/rfc5637.txt- -- ../data/rfc/rfc5637.txt- 4.1. Split Scenario .............................................5 ../data/rfc/rfc5637.txt- 4.2. Integrated Scenario ........................................6 ../data/rfc/rfc5637.txt- 5. Goals for AAA-HA Interface ......................................6 ../data/rfc/rfc5637.txt- 5.1. General Goals ..............................................6 ../data/rfc/rfc5637.txt- 5.2. Service Authorization ......................................7 ../data/rfc/rfc5637.txt: 5.3. Accounting .................................................8 ../data/rfc/rfc5637.txt- 5.4. Mobile Node Authentication .................................8 ../data/rfc/rfc5637.txt- 5.5. Provisioning of Configuration Parameters ...................8 ../data/rfc/rfc5637.txt- 6. Goals for the AAA-NAS Interface .................................9 ../data/rfc/rfc5637.txt- 7. Security Considerations .........................................9 ../data/rfc/rfc5637.txt- 8. Acknowledgements ................................................9 -- ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt-1. Introduction ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt- Mobile IPv6 [1] provides the basic IP mobility functionality for ../data/rfc/rfc5637.txt- IPv6. When Mobile IPv6 is used in tightly managed environments with ../data/rfc/rfc5637.txt: the use of the AAA (Authentication, Authorization, and Accounting) ../data/rfc/rfc5637.txt- infrastructure, an interface between Mobile IPv6 and AAA protocols ../data/rfc/rfc5637.txt- needs to be defined. Also, two scenarios for bootstrapping Mobile ../data/rfc/rfc5637.txt- IPv6 service [2], i.e., split [3] and integrated [6] scenarios, ../data/rfc/rfc5637.txt- require the specification of a message exchange between the Home ../data/rfc/rfc5637.txt- Agent (HA) and AAA infrastructure for authentication and -- ../data/rfc/rfc5637.txt- address as specified in [6]). ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt- Moreover, in case Mobile IPv6 is a service offered by a Mobility ../data/rfc/rfc5637.txt- Service Provider (MSP), all protocol operations (e.g., home ../data/rfc/rfc5637.txt- registrations) may need to be explicitly authorized and monitored ../data/rfc/rfc5637.txt: (e.g., for accounting purposes). This can be accomplished relying on ../data/rfc/rfc5637.txt- the AAA infrastructure of the Mobility Service Authorizer (MSA) that ../data/rfc/rfc5637.txt- stores user profiles and credentials. ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt-4. Bootstrapping Scenarios ../data/rfc/rfc5637.txt- -- ../data/rfc/rfc5637.txt- G2.12 The HA MUST be able to authenticate the MN through the AAAH ../data/rfc/rfc5637.txt- server in case a pre-shared key is used in IKEv2 for user ../data/rfc/rfc5637.txt- authentication. The exact procedure is part of the solution ../data/rfc/rfc5637.txt- space. ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt:5.3. Accounting ../data/rfc/rfc5637.txt- ../data/rfc/rfc5637.txt: G3.1 The AAA-HA interface MUST support the transfer of accounting ../data/rfc/rfc5637.txt- records needed for service control and charging. These include ../data/rfc/rfc5637.txt- (but may not be limited to): time of binding cache entry ../data/rfc/rfc5637.txt- creation and deletion, octets sent and received by the Mobile ../data/rfc/rfc5637.txt- Node in bi-directional tunneling, etc. ../data/rfc/rfc5637.txt- -- ../data/rfc/rfc3539.txt-Category: Standards Track J. Wood ../data/rfc/rfc3539.txt- Sun Microsystems, Inc. ../data/rfc/rfc3539.txt- June 2003 ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt: Authentication, Authorization and Accounting (AAA) Transport Profile ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-Status of this Memo ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- This document specifies an Internet standards track protocol for the ../data/rfc/rfc3539.txt- Internet community, and requests discussion and suggestions for -- ../data/rfc/rfc3539.txt- Copyright (C) The Internet Society (2003). All Rights Reserved. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-Abstract ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- This document discusses transport issues that arise within protocols ../data/rfc/rfc3539.txt: for Authentication, Authorization and Accounting (AAA). It also ../data/rfc/rfc3539.txt- provides recommendations on the use of transport by AAA protocols. ../data/rfc/rfc3539.txt- This includes usage of standards-track RFCs as well as experimental ../data/rfc/rfc3539.txt- proposals. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-Table of Contents -- ../data/rfc/rfc3539.txt- Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 41 ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-1. Introduction ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- This document discusses transport issues that arise within protocols ../data/rfc/rfc3539.txt: for Authentication, Authorization and Accounting (AAA). It also ../data/rfc/rfc3539.txt- provides recommendations on the use of transport by AAA protocols. ../data/rfc/rfc3539.txt- This includes usage of standards-track RFCs as well as experimental ../data/rfc/rfc3539.txt- proposals. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-1.1. Requirements Language -- ../data/rfc/rfc3539.txt- "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as ../data/rfc/rfc3539.txt- described in [RFC2119]. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-1.2. Terminology ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt: Accounting ../data/rfc/rfc3539.txt- The act of collecting information on resource usage for the ../data/rfc/rfc3539.txt- purpose of trend analysis, auditing, billing, or cost ../data/rfc/rfc3539.txt- allocation. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- -- ../data/rfc/rfc3539.txt- forward proxies need to implement AAA client and server ../data/rfc/rfc3539.txt- functionality for the messages that they handle. Store and ../data/rfc/rfc3539.txt- Forward proxies also typically keep state on conversations ../data/rfc/rfc3539.txt- in progress in order to assure delivery of proxied Requests ../data/rfc/rfc3539.txt- and Responses. While store and forward proxies are most ../data/rfc/rfc3539.txt: frequently deployed for accounting, they also can be used ../data/rfc/rfc3539.txt- to implement authentication/authorization policy. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Network-driven transport ../data/rfc/rfc3539.txt- Transport behavior is said to be "network driven" when the ../data/rfc/rfc3539.txt- rate at which messages are sent is limited by the -- ../data/rfc/rfc3539.txt- application, rather than by the size of the congestion window. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- For example, let us assume a 48-port NAS with an average session time ../data/rfc/rfc3539.txt- of 20 minutes. This device will, on average, send only 144 ../data/rfc/rfc3539.txt- authentication/authorization requests/hour, and an equivalent number ../data/rfc/rfc3539.txt: of accounting requests. This represents an average inter-packet ../data/rfc/rfc3539.txt- spacing of 25 seconds, which is much larger than the Round Trip Time ../data/rfc/rfc3539.txt- (RTT) in most networks. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- -- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Even on much larger NAS devices, the inter-packet spacing is often ../data/rfc/rfc3539.txt- larger than the RTT. For example, consider a 2048-port NAS with an ../data/rfc/rfc3539.txt- average session time of 10 minutes. It will on average send 3.4 ../data/rfc/rfc3539.txt- authentication/authorization requests/second, and an equivalent ../data/rfc/rfc3539.txt: number of accounting requests. This translates to an average inter- ../data/rfc/rfc3539.txt- packet spacing of 293 ms. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- However, even where transport behavior is largely application-driven, ../data/rfc/rfc3539.txt- periods of network-driven behavior can occur. For example, after a ../data/rfc/rfc3539.txt: NAS reboot, previously stored accounting records may be sent to the ../data/rfc/rfc3539.txt: accounting server in rapid succession. Similarly, after recovery ../data/rfc/rfc3539.txt- from a power failure, users may respond with a large number of ../data/rfc/rfc3539.txt- simultaneous logins. In both cases, AAA messages may be generated ../data/rfc/rfc3539.txt- more quickly than the network will allow them to be sent, and a queue ../data/rfc/rfc3539.txt- will build up. ../data/rfc/rfc3539.txt- -- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Let us consider what happens when 10,000 48-ports NASes, each with an ../data/rfc/rfc3539.txt- average session time of 20 minutes, are configured with the same AAA ../data/rfc/rfc3539.txt- agent or server. The unfortunate proxy or server would receive 400 ../data/rfc/rfc3539.txt- authentication/authorization requests/second and an equivalent number ../data/rfc/rfc3539.txt: of accounting requests. For 1000 octet requests, this would generate ../data/rfc/rfc3539.txt- 6.4 Mbps of incoming traffic at the AAA agent or server. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- While this transaction load is within the capabilities of the fastest ../data/rfc/rfc3539.txt- AAA agents and servers, implementations exist that cannot handle such ../data/rfc/rfc3539.txt- a high load. Thus high queuing delays and/or dropped packets may be -- ../data/rfc/rfc3539.txt- can be reduced by combining multiple AAA messages within a single ../data/rfc/rfc3539.txt- packet. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Where AAA runs over TCP and transport behavior is network-driven, ../data/rfc/rfc3539.txt- such as after a reboot when many users login simultaneously, or many ../data/rfc/rfc3539.txt: stored accounting records need to be sent, the Nagle algorithm will ../data/rfc/rfc3539.txt- result in "transport layer batching" of AAA messages. While this ../data/rfc/rfc3539.txt- does not reduce the work required by the application in parsing ../data/rfc/rfc3539.txt- packets and responding to the messages, it does reduce the number of ../data/rfc/rfc3539.txt- packets processed by routers along the path. The Nagle algorithm is ../data/rfc/rfc3539.txt- not used with SCTP. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Where AAA transport is application-driven, the NAS will typically ../data/rfc/rfc3539.txt- receive a reply from the home server prior to having another request ../data/rfc/rfc3539.txt: to send. This implies, for example, that accounting requests will ../data/rfc/rfc3539.txt- typically be sent individually rather than being batched by the ../data/rfc/rfc3539.txt- transport layer. As a result, within the application-driven regime, ../data/rfc/rfc3539.txt- the Nagle algorithm [RFC896] is ineffective. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-2.4. Multiple Connections -- ../data/rfc/rfc3539.txt- those sent on the failed connection. As a result, AAA agents and ../data/rfc/rfc3539.txt- servers MUST be prepared to handle duplicates, and MUST assume that ../data/rfc/rfc3539.txt- duplicates can arrive on any connection. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- For example, in billing, it is necessary to be able to weed out ../data/rfc/rfc3539.txt: duplicate accounting records, based on the accounting session-id, ../data/rfc/rfc3539.txt- event-timestamp and NAS identification information. Where ../data/rfc/rfc3539.txt- authentication requests are always idempotent, the resultant ../data/rfc/rfc3539.txt- duplicate responses from multiple servers will presumably be ../data/rfc/rfc3539.txt- identical, so that little harm will result. ../data/rfc/rfc3539.txt- -- ../data/rfc/rfc3539.txt-Aboba & Wood Standards Track [Page 26] ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-RFC 3539 AAA Transport Profile June 2003 ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC ../data/rfc/rfc3539.txt- 2914, September 2000. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- [RFC2975] Aboba, B., Arkko, J. and D. Harrington, "Introduction to ../data/rfc/rfc3539.txt: Accounting Management", RFC 2975, June 2000. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- [RFC3390] Allman, M., Floyd, S. and C. Partridge, "Increasing TCP's ../data/rfc/rfc3539.txt- Initial Window", RFC 3390, October 2002. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- [Congest] Jacobson, V., "Congestion Avoidance and Control", Computer -- ../data/rfc/rfc3539.txt-Appendix B - AAA Agents ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- As described in [RFC2865] and [RFC2607], AAA agents have become ../data/rfc/rfc3539.txt- popular in order to support services such as roaming and shared use ../data/rfc/rfc3539.txt- networks. Such agents are used both for ../data/rfc/rfc3539.txt: authentication/authorization, as well as accounting [RFC2975]. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- AAA agents include: ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- Relays ../data/rfc/rfc3539.txt- Proxies -- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-B.3 Store and Forward Proxies ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- With a store and forward proxy, the proxy may send a reply to the NAS ../data/rfc/rfc3539.txt- prior to forwarding the request to the server. While store and ../data/rfc/rfc3539.txt: forward proxies are most frequently deployed for accounting ../data/rfc/rfc3539.txt- [RFC2975], they also can be used to implement ../data/rfc/rfc3539.txt- authentication/authorization policy, as described in [RFC2607]. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- As noted in [RFC2975], store and forward proxies can have a negative ../data/rfc/rfc3539.txt: effect on accounting reliability. By sending a reply to the NAS ../data/rfc/rfc3539.txt: without receiving one from the accounting server, store and forward ../data/rfc/rfc3539.txt: proxies fool the NAS into thinking that the accounting request had ../data/rfc/rfc3539.txt: been accepted by the accounting server when this is not the case. As ../data/rfc/rfc3539.txt: a result, the NAS can delete the accounting packet from non-volatile ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-Aboba & Wood Standards Track [Page 36] ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt-RFC 3539 AAA Transport Profile June 2003 ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt: storage before it has been accepted by the accounting server. That ../data/rfc/rfc3539.txt: leaves the proxy responsible for delivering accounting packets. If ../data/rfc/rfc3539.txt- the proxy involves moving parts (e.g. a disk drive) while the NAS ../data/rfc/rfc3539.txt- does not, overall system reliability can be reduced. As a result, ../data/rfc/rfc3539.txt- store and forward proxies SHOULD NOT be used. ../data/rfc/rfc3539.txt- ../data/rfc/rfc3539.txt- The sequence of events is as follows: -- ../data/rfc/rfc4058.txt- 2. Requirements Notation ...........................................3 ../data/rfc/rfc4058.txt- 3. Terminology .....................................................4 ../data/rfc/rfc4058.txt- 4. Requirements ....................................................4 ../data/rfc/rfc4058.txt- 4.1. Authentication .............................................4 ../data/rfc/rfc4058.txt- 4.1.1. Authentication of Client ............................4 ../data/rfc/rfc4058.txt: 4.1.2. Authorization, Accounting, and Access Control .......6 ../data/rfc/rfc4058.txt- 4.1.3. Authentication Backend ..............................7 ../data/rfc/rfc4058.txt- 4.1.4. Identifiers .........................................7 ../data/rfc/rfc4058.txt- 4.2. IP Address Assignment ......................................7 ../data/rfc/rfc4058.txt- 4.3. EAP Lower Layer Requirements ...............................7 ../data/rfc/rfc4058.txt- 4.4. PAA-to-EP Protocol .........................................8 -- ../data/rfc/rfc4058.txt- where the network is vulnerable to man-in-the-middle attacks. While ../data/rfc/rfc4058.txt- PANA MUST provide such a capability, its utility relies on the use of ../data/rfc/rfc4058.txt- an authentication method that can generate keys for cryptographic ../data/rfc/rfc4058.txt- computations on PaC and PAA. ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt:4.1.2. Authorization, Accounting, and Access Control ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt- After a device is authenticated by using PANA, it MUST be authorized ../data/rfc/rfc4058.txt- for "network access." That is, the core requirement of PANA is to ../data/rfc/rfc4058.txt- verify the authorization of a PaC so that PaC's device may send and ../data/rfc/rfc4058.txt- receive any IP packets. It may also be possible to provide finer -- ../data/rfc/rfc4058.txt- network, PaC and EPs should have the required IPsec SA in place. ../data/rfc/rfc4058.txt- Generating the IPsec SAs based on EAP keys is outside the scope of ../data/rfc/rfc4058.txt- PANA protocol. This transformation MUST be handled by a separate ../data/rfc/rfc4058.txt- secure association protocol (see section 4.1.1). ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt: Carrying accounting data is outside the scope of PANA. ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt-Yegin, et al. Informational [Page 6] -- ../data/rfc/rfc4058.txt- PANA payload, or implicitly as the source of the PANA message, or ../data/rfc/rfc4058.txt- both. Multi-access networks also require use of a cryptographic ../data/rfc/rfc4058.txt- protection along with DI filtering to prevent unauthorized access ../data/rfc/rfc4058.txt- [RFC4016]. The keying material required by the cryptographic methods ../data/rfc/rfc4058.txt- needs to be indexed by the DI. As described in section 4.1.2, the ../data/rfc/rfc4058.txt: binding between DI and PaCI is used for access control and accounting ../data/rfc/rfc4058.txt- in the network. ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt-4.2. IP Address Assignment ../data/rfc/rfc4058.txt- ../data/rfc/rfc4058.txt- Assigning an IP address to the client is outside the scope of PANA. -- ../data/rfc/rfc5030.txt- Thus, the Mobile IP group developed a set of guidelines and ../data/rfc/rfc5030.txt- requirements from the Mobile IP standpoint [RFC2977] specifically for ../data/rfc/rfc5030.txt- such a successor (which turned out to be Diameter). These ../data/rfc/rfc5030.txt- requirements led to the development of a specification for using ../data/rfc/rfc5030.txt- Diameter in Mobile IPv4 bootstrapping [RFC4004]. The requirements ../data/rfc/rfc5030.txt: for Mobile IP Authentication, Authorization, and Accounting [RFC2977] ../data/rfc/rfc5030.txt- were standardized after the standardization of RADIUS [RFC2865]. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- Thus, it is obvious that RADIUS does not and cannot meet all the ../data/rfc/rfc5030.txt- requirements listed in [RFC2977] without undergoing an extensive ../data/rfc/rfc5030.txt- design change. Consequently, within IETF no RADIUS attributes have -- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc5030.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc5030.txt- RFC 2865, June 2000. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt-Nakhjiri, et al. Informational [Page 6] ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt-RFC 5030 Mobile IPv4 RADIUS Requirements October 2007 ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt: [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting ../data/rfc/rfc5030.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc5030.txt- June 2000. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC2977] Glass, S., Hiller, T., Jacobs, S., and C. Perkins, "Mobile ../data/rfc/rfc5030.txt: IP Authentication, Authorization, and Accounting ../data/rfc/rfc5030.txt- Requirements", RFC 2977, October 2000. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, ../data/rfc/rfc5030.txt- August 2002. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC3957] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc5030.txt: Authorization, and Accounting (AAA) Registration Keys for ../data/rfc/rfc5030.txt- Mobile IPv4", RFC 3957, March 2005. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC4004] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and ../data/rfc/rfc5030.txt- P. McCann, "Diameter Mobile IPv4 Application", RFC 4004, ../data/rfc/rfc5030.txt- August 2005. -- ../data/rfc/rfc5030.txt- [RFC4721] Perkins, C., Calhoun, P., and J. Bharatia, "Mobile IPv4 ../data/rfc/rfc5030.txt- Challenge/Response Extensions (Revised)", RFC 4721, ../data/rfc/rfc5030.txt- January 2007. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5030.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc5030.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt-8.2. Informative References ../data/rfc/rfc5030.txt- ../data/rfc/rfc5030.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, -- ../data/rfc/rfc3234.txt-2.12. Gatekeepers/ session control boxes ../data/rfc/rfc3234.txt- ../data/rfc/rfc3234.txt- Particularly with the rise of IP Telephony, the need to create and ../data/rfc/rfc3234.txt- manage sessions other than TCP connections has arisen. In a ../data/rfc/rfc3234.txt- multimedia environment that has to deal with name lookup, ../data/rfc/rfc3234.txt: authentication, authorization, accounting, firewall traversal, and ../data/rfc/rfc3234.txt- sometimes media conversion, the establishment and control of a ../data/rfc/rfc3234.txt- session by a third-party box seems to be the inevitable solution. ../data/rfc/rfc3234.txt- Examples include H.323 gatekeepers [H323], SIP servers [RFC 2543] and ../data/rfc/rfc3234.txt- MEGACO controllers [RFC 3015]. ../data/rfc/rfc3234.txt- -- ../data/rfc/rfc3234.txt- particular impact on the data stream. ../data/rfc/rfc3234.txt- ../data/rfc/rfc3234.txt- Additionally, content caches and content distribution mechanisms ../data/rfc/rfc3234.txt- raise the issue of access control for content that is subject to ../data/rfc/rfc3234.txt- copyright or other rights. Distributed authentication, authorisation ../data/rfc/rfc3234.txt: and accounting are required. ../data/rfc/rfc3234.txt- ../data/rfc/rfc3234.txt-6. Acknowledgements ../data/rfc/rfc3234.txt- ../data/rfc/rfc3234.txt- Steve Bellovin, Jon Crowcroft, Steve Deering, Patrik Faltstrom, ../data/rfc/rfc3234.txt- Henning Schulzrinne, and Lixia Zhang all gave valuable feedback on -- ../data/rfc/rfc4105.txt- over how traffic demands are routed over a network topology and ../data/rfc/rfc4105.txt- utilize a network's resources. ../data/rfc/rfc4105.txt- ../data/rfc/rfc4105.txt- Note also that TE LSPs allow measuring traffic matrix in a simple and ../data/rfc/rfc4105.txt- scalable manner. The aggregated traffic rate between two LSRs is ../data/rfc/rfc4105.txt: easily measured by accounting of traffic sent onto a TE LSP ../data/rfc/rfc4105.txt- provisioned between the two LSRs in question. ../data/rfc/rfc4105.txt- ../data/rfc/rfc4105.txt- ../data/rfc/rfc4105.txt- ../data/rfc/rfc4105.txt- -- ../data/rfc/rfc4657.txt- requests as set forth in Section 5.1.8. ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- The path computation request message MUST support TE LSP path ../data/rfc/rfc4657.txt- reoptimization and the inclusion of a previously computed path. This ../data/rfc/rfc4657.txt- will help ensure optimal routing of a reoptimized path, since it will ../data/rfc/rfc4657.txt: allow the PCE to avoid double bandwidth accounting and help reduce ../data/rfc/rfc4657.txt- blocking issues. ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt-6. Security Considerations ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- Key management MUST be provided by the PCECP to provide for the -- ../data/rfc/rfc4657.txt- Extensions to RSVP for LSP Tunnels", RFC 3209, ../data/rfc/rfc4657.txt- December 2001. ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- [RFC3127] Mitton, D., St.Johns, M., Barkley, S., Nelson, ../data/rfc/rfc4657.txt- D., Patil, B., Stevens, M., and B. Wolff, ../data/rfc/rfc4657.txt: "Authentication, Authorization, and Accounting: ../data/rfc/rfc4657.txt- Protocol Evaluation", RFC 3127, June 2001. ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- ../data/rfc/rfc4657.txt- -- ../data/rfc/rfc6241.txt- NETCONF session programmatically from within NETCONF if one knows the ../data/rfc/rfc6241.txt- session identifier of the offending session. The other possible way ../data/rfc/rfc6241.txt- to break a lock is to provide a function within the device's native ../data/rfc/rfc6241.txt- user interface. These two mechanisms suffer from a race condition ../data/rfc/rfc6241.txt- that could be ameliorated by removing the offending user from an ../data/rfc/rfc6241.txt: Authentication, Authorization, and Accounting (AAA) server. However, ../data/rfc/rfc6241.txt- such a solution is not useful in all deployment scenarios, such as ../data/rfc/rfc6241.txt- those where SSH public/private key pairs are used. ../data/rfc/rfc6241.txt- ../data/rfc/rfc6241.txt-10. IANA Considerations ../data/rfc/rfc6241.txt- -- ../data/rfc/rfc3141.txt- Copyright (C) The Internet Society (2001). All Rights Reserved. ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt-Abstract ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- This memo specifies cdma2000 wireless data AAA (Authentication, ../data/rfc/rfc3141.txt: Authorization, Accounting) requirements associated with third ../data/rfc/rfc3141.txt- generation wireless architecture that supports roaming among service ../data/rfc/rfc3141.txt- providers for traditional PPP and Mobile IP services. ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- -- ../data/rfc/rfc3141.txt- home ISP, or private network. ../data/rfc/rfc3141.txt- o Support IP Security on the Mobile IP tunnel between Foreign ../data/rfc/rfc3141.txt- Agent and Home Agent, in order to avoid the overhead of a ../data/rfc/rfc3141.txt- voluntary tunnel on the radio interface. ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt: o Provide robust authentication, authorization and accounting ../data/rfc/rfc3141.txt- services (AAA): ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- o Provide separation of airlink resource AAA services and data ../data/rfc/rfc3141.txt- resource AAA services. ../data/rfc/rfc3141.txt- o Authenticate and authorize a mobile based on an IMSI and an -- ../data/rfc/rfc3141.txt-2.1. PDSN ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- o Acts as a Foreign Agent; ../data/rfc/rfc3141.txt- o Establish, maintain, and terminate link layer to the mobile ../data/rfc/rfc3141.txt- client; ../data/rfc/rfc3141.txt: o Initiate the authentication, authorization and accounting for ../data/rfc/rfc3141.txt- the mobile client; ../data/rfc/rfc3141.txt- o Optionally, securely tunnel using IP security to the Home ../data/rfc/rfc3141.txt- Agent; ../data/rfc/rfc3141.txt- o Receives service parameters from AAA for mobile client; ../data/rfc/rfc3141.txt: o Collect usage data for accounting purposes to be relayed to ../data/rfc/rfc3141.txt- AAA; ../data/rfc/rfc3141.txt- o Routes packets to external packet data networks or to the HA in ../data/rfc/rfc3141.txt- the case of reverse tunneling; ../data/rfc/rfc3141.txt- o Maps home address and Home Agent address to a unique link layer ../data/rfc/rfc3141.txt- identifier used to communicate with Radio Network. ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt:2.2. Authentication, Authorization, and Accounting Server ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt- o Interact with the Foreign Agent and other AAA servers to ../data/rfc/rfc3141.txt: authorize, authenticate and perform accounting for the mobile ../data/rfc/rfc3141.txt- client; ../data/rfc/rfc3141.txt- o Provides mechanism to support security association between ../data/rfc/rfc3141.txt- PDSN/FA and HA and between the MN and PDSN/FA; ../data/rfc/rfc3141.txt- o For dynamic Home Agent assignment, dynamically identify an HA ../data/rfc/rfc3141.txt- and assign a MN on that HA, and provide the security -- ../data/rfc/rfc3141.txt- capability to modify certain parts of AAA messages whereby ../data/rfc/rfc3141.txt- to operate to in non-proxy or proxy environments. ../data/rfc/rfc3141.txt- o Provide message integrity and identity authentication on a ../data/rfc/rfc3141.txt- per hop (AAA node) basis. ../data/rfc/rfc3141.txt- o Support replay protection and optional non-repudiation ../data/rfc/rfc3141.txt: capabilities for all authorization and accounting messages. ../data/rfc/rfc3141.txt: The AAA protocol must provide the capability for accounting ../data/rfc/rfc3141.txt- messages to be matched with prior authorization messages. ../data/rfc/rfc3141.txt: o Support accounting via both bilateral arrangements and via ../data/rfc/rfc3141.txt: broker AAA servers providing accounting clearinghouse and ../data/rfc/rfc3141.txt- reconciliation between serving and home networks. There is ../data/rfc/rfc3141.txt- an explicit agreement that if the private network or home ../data/rfc/rfc3141.txt- ISP authenticates the mobile station requesting service, ../data/rfc/rfc3141.txt- then the private network or home ISP network also agrees to ../data/rfc/rfc3141.txt- reconcile charges with the home service provider or broker. ../data/rfc/rfc3141.txt: Real time accounting must be supported. ../data/rfc/rfc3141.txt- o Provides security between AAA servers, and between AAA ../data/rfc/rfc3141.txt- server and PDSN or HA via IP security. ../data/rfc/rfc3141.txt- ../data/rfc/rfc3141.txt-3.2. Mobile IP Specific Requirements and AAA ../data/rfc/rfc3141.txt- -- ../data/rfc/rfc4152.txt- o Handle logistics (movement of circuit cards, along with the serial ../data/rfc/rfc4152.txt- number) ../data/rfc/rfc4152.txt- ../data/rfc/rfc4152.txt- o Provision equipment ../data/rfc/rfc4152.txt- ../data/rfc/rfc4152.txt: o Maintain asset records (accounting information) ../data/rfc/rfc4152.txt- ../data/rfc/rfc4152.txt- The goal of the CLEI namespace is to ensure the stability and ../data/rfc/rfc4152.txt- uniqueness of the names of various (specific) items that are used ../data/rfc/rfc4152.txt- within the messages exchanged between equipment of the global ../data/rfc/rfc4152.txt- telecommunications network. -- ../data/rfc/rfc3690.txt- PSTN/Internet boundaries. Absence of a mapping means that the ../data/rfc/rfc3690.txt- signaling reverts to a default service (presumably one attributed ../data/rfc/rfc3690.txt- to the general public). ../data/rfc/rfc3690.txt- ../data/rfc/rfc3690.txt- 4) Application layer IP telephony capabilities MUST NOT preclude the ../data/rfc/rfc3690.txt: ability to do application layer accounting. ../data/rfc/rfc3690.txt- ../data/rfc/rfc3690.txt: Accounting is a useful feature in support of billing and tracking ../data/rfc/rfc3690.txt- down abuse of service. If specific solutions or protocols in ../data/rfc/rfc3690.txt: support of ETS require accounting, then this will be articulated ../data/rfc/rfc3690.txt- in future document(s). ../data/rfc/rfc3690.txt- ../data/rfc/rfc3690.txt- 5) Application layer mechanisms in gateways and stateful proxies that ../data/rfc/rfc3690.txt- are specifically in place to recognize ETS type labels MUST be ../data/rfc/rfc3690.txt- able to support "best available" service (this will probably be -- ../data/rfc/rfc1639.txt- LPSV commands (500, 501). An additional negative completion reply ../data/rfc/rfc1639.txt- code is needed to distinguish the case where a host supports the LPRT ../data/rfc/rfc1639.txt- or LPSV command, but does not support the address family specified. ../data/rfc/rfc1639.txt- ../data/rfc/rfc1639.txt- Of the FTP function groupings defined for reply codes (syntax, ../data/rfc/rfc1639.txt: information, connections, authentication and accounting, and file ../data/rfc/rfc1639.txt- system), "connections" seems the most logical choice; thus, an ../data/rfc/rfc1639.txt- additional negative command completion reply code, 521 is added, with ../data/rfc/rfc1639.txt- the following suggested textual message: ../data/rfc/rfc1639.txt- ../data/rfc/rfc1639.txt- 521 Supported address families are (af1, af2, ..., afn) -- ../data/rfc/rfc8979.txt- Section 8.2.2 of [RFC8300], identifier values SHOULD be ../data/rfc/rfc8979.txt- obfuscated. ../data/rfc/rfc8979.txt- ../data/rfc/rfc8979.txt- The Subscriber Identifier Context Header is used by SFs to enforce ../data/rfc/rfc8979.txt- per-subscriber policies (e.g., resource quota, customized filtering ../data/rfc/rfc8979.txt: profile, accounting). To that aim, network operators may rely on ../data/rfc/rfc8979.txt- identifiers that are generated from those used in legacy deployments ../data/rfc/rfc8979.txt- (e.g., Section 3.3 of [CASE-MOBILITY]). Alternatively, network ../data/rfc/rfc8979.txt- operators may use identifiers that are associated with customized ../data/rfc/rfc8979.txt- policy profiles that are preconfigured on SFs using an out-of-band ../data/rfc/rfc8979.txt- mechanism. Such a mechanism can be used to rotate the identifiers, -- ../data/rfc/rfc2000.txt- ../data/rfc/rfc2000.txt- 2060 - Internet Message Access Protocol - Version 4rev1 ../data/rfc/rfc2000.txt- ../data/rfc/rfc2000.txt- A Proposed Standard protocol. ../data/rfc/rfc2000.txt- ../data/rfc/rfc2000.txt: 2059 - RADIUS Accounting ../data/rfc/rfc2000.txt- ../data/rfc/rfc2000.txt- This is an information document and does not specify any ../data/rfc/rfc2000.txt- level of standard. ../data/rfc/rfc2000.txt- ../data/rfc/rfc2000.txt- 2058 - Remote Authentication Dial In User Service (RADIUS) -- ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt- Machalow, R., "Security for Lotus Files", Computers in Libraries, ../data/rfc/rfc1135.txt- Vol. 9, No. 2, Pg. 19, 1 February 1989. ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt- Maher, J., and J. Hicks, "Computer Viruses: Controller's Nightmare", ../data/rfc/rfc1135.txt: Management Accounting, Vol. 71, No. 4, Pg. 44, 1 October 1989. ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt- Markoff, J., "Author of Computer 'Virus' is Son of U.S. Electronic ../data/rfc/rfc1135.txt- Security Expert", Pgs. A1, A7, The New York Times, 5 November 1988. ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt- Markoff, J., "Computer Experts Say Virus Carried No Hidden Dangers", -- ../data/rfc/rfc1135.txt- United States Congress Senate Committee on the Judiciary, "The ../data/rfc/rfc1135.txt- Computer Fraud and Abuse Act of 1986, Report Together with Additional ../data/rfc/rfc1135.txt- Views", Ninety-ninth Congress, Second Session, Washington, D.C., 3 ../data/rfc/rfc1135.txt- September 1986. ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt: United States General Accounting Office, "Computer Security", ../data/rfc/rfc1135.txt- GAO/IMTEC-89-57, June 1989. ../data/rfc/rfc1135.txt- ../data/rfc/rfc1135.txt- United States of America, "Computer Security Act of 1987", G.P.O. ../data/rfc/rfc1135.txt- Distributor, Washington D.C., 1988. ../data/rfc/rfc1135.txt- -- ../data/rfc/rfc1545.txt- errors in the PORT and PASV commands are appropriate for the LPRT and ../data/rfc/rfc1545.txt- LPSV commands (500, 501). An additional negative completion reply ../data/rfc/rfc1545.txt- code is needed to distinguish the case where a host supports the LPRT ../data/rfc/rfc1545.txt- or LPSV command, but does not support the address family specified. ../data/rfc/rfc1545.txt- Of the FTP function groupings currently defined for reply codes ../data/rfc/rfc1545.txt: (syntax, information, connections, authentication and accounting, and ../data/rfc/rfc1545.txt- file system), "connections" seems the most logical choice; thus, an ../data/rfc/rfc1545.txt- additional negative command completion reply code, 521 is added, with ../data/rfc/rfc1545.txt- the following suggested textual message: ../data/rfc/rfc1545.txt- ../data/rfc/rfc1545.txt- 521 Supported address families are (af1, af2, ..., afn) -- ../data/rfc/rfc4433.txt- Redirected HA: If the registration is rejected with error code ../data/rfc/rfc4433.txt- REDIRECT-HA-REQ, the HA being referred to is ../data/rfc/rfc4433.txt- specified in a new extension (Redirected HA ../data/rfc/rfc4433.txt- Extension). ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt: AAA server: Authentication, Authorization, and Accounting ../data/rfc/rfc4433.txt- Server. ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- DNS: Domain Name System. ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- DHCP: Dynamic Host Configuration Protocol. -- ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement ../data/rfc/rfc4433.txt- Levels", BCP 14, RFC 2119, March 1997. ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- [7] Perkins, C. and P. Calhoun, "Authentication, Authorization, and ../data/rfc/rfc4433.txt: Accounting (AAA) Registration Keys for Mobile IPv4", RFC 3957, ../data/rfc/rfc4433.txt- March 2005. ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- ../data/rfc/rfc4433.txt- -- ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt-RFC 4071 Structure of IASA April 2005 ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- 5. IASA Funding . . . . . . . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc4071.txt: 5.1. Cost Center Accounting . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc4071.txt- 5.2. IETF Meeting Revenues . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc4071.txt- 5.3. Designated Donations, Monetary and In-Kind . . . . . . . 14 ../data/rfc/rfc4071.txt- 5.4. Other ISOC Support . . . . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc4071.txt- 5.5. IASA Expenses . . . . . . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc4071.txt- 5.6. Operating Reserve . . . . . . . . . . . . . . . . . . . 15 -- ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- 5. Once funds or in-kind donations have been credited to the IASA ../data/rfc/rfc4071.txt- accounts, they shall be irrevocably allocated to the support of ../data/rfc/rfc4071.txt- the IETF. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt: 6. There shall be a detailed public accounting to separately ../data/rfc/rfc4071.txt- identify all funds available to and all expenditures relating to ../data/rfc/rfc4071.txt- the IETF and to the IASA, including any donations, of funds or in ../data/rfc/rfc4071.txt- kind, received by ISOC for IETF-related activities. In-kind ../data/rfc/rfc4071.txt- donations shall only be accepted at the direction of the IAD and ../data/rfc/rfc4071.txt- IAOC. -- ../data/rfc/rfc4071.txt- equivalent instruments with outside organizations, and for providing ../data/rfc/rfc4071.txt- any coordination necessary to make sure that the IETF administrative ../data/rfc/rfc4071.txt- support functions are covered properly. All functions, whether ../data/rfc/rfc4071.txt- contracted to outside organizations or performed internally within ../data/rfc/rfc4071.txt- the IASA, must be clearly specified and documented with well-defined ../data/rfc/rfc4071.txt: deliverables, service level agreements, and transparent accounting ../data/rfc/rfc4071.txt- for the cost of such functions. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- The IASA is responsible for managing all intellectual property rights ../data/rfc/rfc4071.txt- (IPR), including but not limited to trademarks, and copyrights that ../data/rfc/rfc4071.txt- belong to the IETF. The IASA is also responsible for managing the -- ../data/rfc/rfc4071.txt- The IASA is responsible for undertaking any and all required actions ../data/rfc/rfc4071.txt- on behalf of the IETF to obtain, protect, and manage the rights that ../data/rfc/rfc4071.txt- the IETF needs to carry out its work. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- If the IASA cannot comply with the procedures described in this ../data/rfc/rfc4071.txt: document for legal, accounting, or practical reasons, the IAOC shall ../data/rfc/rfc4071.txt- report that fact to the community, along with the variant procedure ../data/rfc/rfc4071.txt- that the IAOC intends to follow. If the problem is a long-term one, ../data/rfc/rfc4071.txt- the IAOC shall ask the IETF to update this document to reflect the ../data/rfc/rfc4071.txt- changed procedure. ../data/rfc/rfc4071.txt- -- ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- Note that the goal is to achieve and maintain a viable IETF support ../data/rfc/rfc4071.txt- function based on available funding sources. The IETF community ../data/rfc/rfc4071.txt- expects the IAOC and ISOC to work together to attain that goal. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt:5.1. Cost Center Accounting ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- Funds managed by the IASA shall be accounted for in a separate set of ../data/rfc/rfc4071.txt- general ledger accounts within the IASA Cost Center. In the ../data/rfc/rfc4071.txt- remainder of this document, these general ledger accounts are termed ../data/rfc/rfc4071.txt- "IASA accounts". A periodic summary of the IASA accounts shall be -- ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- The IAOC and ISOC shall agree upon and publish procedures for ../data/rfc/rfc4071.txt- reporting and auditing of these accounts. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- Note that ISOC in consultation with the IAOC can decide to structure ../data/rfc/rfc4071.txt: the IASA accounting differently in the future within the constraints ../data/rfc/rfc4071.txt- outlined in Section 7. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt-5.2. IETF Meeting Revenues ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt- Meeting revenues are an important source of funds for IETF functions. -- ../data/rfc/rfc4071.txt- The dates described above are examples and are subject to change. ../data/rfc/rfc4071.txt- They will most likely be modified each year based on the dates of the ../data/rfc/rfc4071.txt- second and third IETF meetings of that year. They also need to be ../data/rfc/rfc4071.txt- synchronized with the ISOC budgeting process. ../data/rfc/rfc4071.txt- ../data/rfc/rfc4071.txt: The IAD shall provide monthly accountings of expenses and shall ../data/rfc/rfc4071.txt- update expenditures forecasts every quarter. This may require ../data/rfc/rfc4071.txt- adjustment of the IASA budget. If so, the revised budget will need ../data/rfc/rfc4071.txt- to be approved by the IAOC, the ISOC President/CEO and, if necessary, ../data/rfc/rfc4071.txt- the ISOC Board of Trustees. ../data/rfc/rfc4071.txt- -- ../data/rfc/rfc3530.txt- With delegations, a client is able to avoid writing data to the ../data/rfc/rfc3530.txt- server when the CLOSE of a file is serviced. The file close system ../data/rfc/rfc3530.txt- call is the usual point at which the client is notified of a lack of ../data/rfc/rfc3530.txt- stable storage for the modified file data generated by the ../data/rfc/rfc3530.txt- application. At the close, file data is written to the server and ../data/rfc/rfc3530.txt: through normal accounting the server is able to determine if the ../data/rfc/rfc3530.txt- available filesystem space for the data has been exceeded (i.e., ../data/rfc/rfc3530.txt: server returns NFS4ERR_NOSPC or NFS4ERR_DQUOT). This accounting ../data/rfc/rfc3530.txt- includes quotas. The introduction of delegations requires that a ../data/rfc/rfc3530.txt- alternative method be in place for the same type of communication to ../data/rfc/rfc3530.txt- occur between client and server. ../data/rfc/rfc3530.txt- ../data/rfc/rfc3530.txt- In the delegation response, the server provides either the limit of -- ../data/rfc/rfc1713.txt- when you talk to someuser@some.host, when your mail has to be routed ../data/rfc/rfc1713.txt- through a set to gateways before it reaches the final recipient, when ../data/rfc/rfc1713.txt- you post an article to Usenet and want it propagated all over the ../data/rfc/rfc1713.txt- world. While these may be the most visible uses of DNS, a lot more ../data/rfc/rfc1713.txt- applications rely on this system to operate, e.g., network security, ../data/rfc/rfc1713.txt: monitoring and accounting tools, just to mention a few. ../data/rfc/rfc1713.txt- ../data/rfc/rfc1713.txt- DNS owes much of its success to its distributed administration. Each ../data/rfc/rfc1713.txt- component (called a zone, the same as a domain in most cases), is ../data/rfc/rfc1713.txt- seen as an independent entity, being responsible for what happens ../data/rfc/rfc1713.txt- inside its domain of authority, how and what information changes and -- ../data/rfc/rfc6632.txt- 4.1.5. Application-Layer Data Models ......................41 ../data/rfc/rfc6632.txt- 4.1.6. Network Management Infrastructure Data Models ......41 ../data/rfc/rfc6632.txt- 4.2. Network Management Data Models - FCAPS View ...............41 ../data/rfc/rfc6632.txt- 4.2.1. Fault Management ...................................42 ../data/rfc/rfc6632.txt- 4.2.2. Configuration Management ...........................44 ../data/rfc/rfc6632.txt: 4.2.3. Accounting Management ..............................45 ../data/rfc/rfc6632.txt- 4.2.4. Performance Management .............................46 ../data/rfc/rfc6632.txt- 4.2.5. Security Management ................................48 ../data/rfc/rfc6632.txt- 5. Security Considerations ........................................49 ../data/rfc/rfc6632.txt- 6. Contributors ...................................................51 ../data/rfc/rfc6632.txt- 7. Acknowledgements ...............................................52 -- ../data/rfc/rfc6632.txt- standardized within the IETF. Section 4.1 focuses on a broader view ../data/rfc/rfc6632.txt- of models classified into categories such as generic and ../data/rfc/rfc6632.txt- infrastructure data models as well as data models matched to ../data/rfc/rfc6632.txt- different layers. Whereas Section 4.2 structures the data models ../data/rfc/rfc6632.txt- following the management application view and maps them to the ../data/rfc/rfc6632.txt: network management tasks fault, configuration, accounting, ../data/rfc/rfc6632.txt- performance, and security management. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Appendix A guides the reader for the high-level selection of ../data/rfc/rfc6632.txt- management standards. For this, the section classifies the protocols ../data/rfc/rfc6632.txt- according to high-level criteria, such as push versus pull -- ../data/rfc/rfc6632.txt- ensured. The IPFIX and PSAMP protocols do not define any new ../data/rfc/rfc6632.txt- security mechanisms and rely on the security mechanism of the ../data/rfc/rfc6632.txt- underlying transport protocol, such as TLS [RFC5246] and DTLS ../data/rfc/rfc6632.txt- [RFC6347]. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: The primary goal of IPFIX is the reporting of the flow accounting for ../data/rfc/rfc6632.txt: flexible flow definitions and usage-based accounting. As described ../data/rfc/rfc6632.txt- in the IPFIX Applicability Statement [RFC5472], there are also other ../data/rfc/rfc6632.txt- applications such as traffic profiling, traffic engineering, ../data/rfc/rfc6632.txt- intrusion detection, and QoS monitoring, that require flow-based ../data/rfc/rfc6632.txt- traffic measurements and can be realized using IPFIX. Furthermore, ../data/rfc/rfc6632.txt- -- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- "Remote Authentication Dial In User Service (RADIUS)" [RFC2865] ../data/rfc/rfc6632.txt- describes a client/server protocol for carrying authentication, ../data/rfc/rfc6632.txt- authorization, and configuration information between a Network Access ../data/rfc/rfc6632.txt- Server (NAS), which desires to authenticate its links, and a shared ../data/rfc/rfc6632.txt: authentication server. The companion document "Radius Accounting" ../data/rfc/rfc6632.txt: [RFC2866] describes a protocol for carrying accounting information ../data/rfc/rfc6632.txt: between a NAS and a shared accounting server. [RFC2867] adds ../data/rfc/rfc6632.txt: required new RADIUS accounting attributes and new values designed to ../data/rfc/rfc6632.txt- support the provision of tunneling in dial-up networks. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- The RADIUS protocol is widely used in environments like enterprise ../data/rfc/rfc6632.txt- networks, where a single administrative authority manages the network ../data/rfc/rfc6632.txt- and protects the privacy of user information. RADIUS is deployed in -- ../data/rfc/rfc6632.txt- authenticators. In the context of 802.1X and EAP-based ../data/rfc/rfc6632.txt- authentication, the VSAs described in [RFC2458] have been widely ../data/rfc/rfc6632.txt- accepted by the industry. "RADIUS Extensions" [RFC2869] is another ../data/rfc/rfc6632.txt- important RFC related to EAP use. RFC 2869 describes additional ../data/rfc/rfc6632.txt- attributes for carrying AAA information between a NAS and a shared ../data/rfc/rfc6632.txt: accounting server using RADIUS. It also defines attributes to ../data/rfc/rfc6632.txt- encapsulate EAP message payload. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- There are different MIB modules defined for multiple purposes to use ../data/rfc/rfc6632.txt- with RADIUS (see Sections 4.2.3 and 4.2.5). ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-3.6. Diameter Base Protocol (Diameter) ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Diameter [RFC3588] provides an Authentication, Authorization, and ../data/rfc/rfc6632.txt: Accounting (AAA) framework for applications such as network access or ../data/rfc/rfc6632.txt- IP mobility. Diameter is also intended to work in local AAA and in ../data/rfc/rfc6632.txt- roaming scenarios. Diameter provides an upgrade path for RADIUS but ../data/rfc/rfc6632.txt- is not directly backwards compatible. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Diameter is designed to resolve a number of known problems with -- ../data/rfc/rfc6632.txt- nodes. Each application has an IANA-assigned unique identifier, ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Support of application layer acknowledgements, failover methods ../data/rfc/rfc6632.txt- and state machines, ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: o Basic support for user-sessions and accounting, ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Better roaming support, ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Error notification, and ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Easy extensibility. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- The Diameter protocol is designed to be extensible to support, e.g., ../data/rfc/rfc6632.txt- proxies, brokers, mobility and roaming, Network Access Servers ../data/rfc/rfc6632.txt: (NASREQ), and Accounting and Resource Management. Diameter ../data/rfc/rfc6632.txt- applications extend the Diameter base protocol by adding new commands ../data/rfc/rfc6632.txt- and/or attributes. Each application is defined by a unique IANA- ../data/rfc/rfc6632.txt- assigned application identifier and can add new command codes and/or ../data/rfc/rfc6632.txt- new mandatory AVPs. ../data/rfc/rfc6632.txt- -- ../data/rfc/rfc6632.txt- published at IETF: ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Diameter Base Protocol Application [RFC3588]: Required support ../data/rfc/rfc6632.txt- from all Diameter implementations. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: o Diameter Base Accounting Application [RFC3588]: A Diameter ../data/rfc/rfc6632.txt: application using an accounting protocol based on a server- ../data/rfc/rfc6632.txt- directed model with capabilities for real-time delivery of ../data/rfc/rfc6632.txt: accounting information. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-Ersue & Claise Informational [Page 32] ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-RFC 6632 IETF Management Standards June 2012 ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Diameter Mobile IPv4 Application [RFC4004]: A Diameter application ../data/rfc/rfc6632.txt- that allows a Diameter server to authenticate, authorize, and ../data/rfc/rfc6632.txt: collect accounting information for Mobile IPv4 services rendered ../data/rfc/rfc6632.txt- to a mobile node. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- o Diameter Network Access Server Application (NASREQ, [RFC4005]): A ../data/rfc/rfc6632.txt- Diameter application used for AAA services in the NAS environment. ../data/rfc/rfc6632.txt- -- ../data/rfc/rfc6632.txt- focuses on a broader view of models classified into categories such ../data/rfc/rfc6632.txt- as generic and infrastructure data models as well as data models ../data/rfc/rfc6632.txt- matched to different layers. The second subsection is structured ../data/rfc/rfc6632.txt- following the management application view and focuses mainly on the ../data/rfc/rfc6632.txt- data models for the network management tasks fault, configuration, ../data/rfc/rfc6632.txt: accounting, performance, and security management (see [FCAPS]). ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Note that the IETF does not use the FCAPS view as an organizing ../data/rfc/rfc6632.txt- principle for its data models. However, the FCAPS view is used ../data/rfc/rfc6632.txt- widely outside of the IETF for the realization of management tasks ../data/rfc/rfc6632.txt- and applications. Section 4.2 aims to address the FCAPS view to -- ../data/rfc/rfc6632.txt- Cable Modems [RFC4546], or Ethernet [RFC4188] [RFC4318] [RFC4363]. ../data/rfc/rfc6632.txt- These so-called transmission data models typically extend the generic ../data/rfc/rfc6632.txt- network interfaces data model with interface type specific ../data/rfc/rfc6632.txt- information. Most of the link-layer data models focus on monitoring ../data/rfc/rfc6632.txt- capabilities that can be used for performance and fault management ../data/rfc/rfc6632.txt: functions and, to some lesser extent, for accounting and security ../data/rfc/rfc6632.txt- management functions. Meanwhile, the IEEE has taken over the ../data/rfc/rfc6632.txt- responsibility to maintain and further develop data models for the ../data/rfc/rfc6632.txt- IEEE 802 family of protocols [RFC4663]. The cable modem industry ../data/rfc/rfc6632.txt- consortium DOCSIS is working with the IETF to publish data models for ../data/rfc/rfc6632.txt- cable modem networks as IETF Standards Track specifications. -- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-4.2. Network Management Data Models - FCAPS View ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- This subsection follows the management application view and aims to ../data/rfc/rfc6632.txt- match the data models to network management tasks for fault, ../data/rfc/rfc6632.txt: configuration, accounting, performance, and security management ../data/rfc/rfc6632.txt- ([FCAPS]). As OAM is a general term that refers to a toolset, which ../data/rfc/rfc6632.txt- can be used for fault detection, isolation, and performance ../data/rfc/rfc6632.txt- measurement, aspects of FCAPS in the context of the data path, such ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- -- ../data/rfc/rfc6632.txt- wireless binding. ../data/rfc/rfc6632.txt- Note: RFC 5833 and RFC 5834 have been published as Informational RFCs ../data/rfc/rfc6632.txt- to provide the basis for future work on a SNMP management of the ../data/rfc/rfc6632.txt- CAPWAP protocol. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt:4.2.3. Accounting Management ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: Accounting management collects usage information of network ../data/rfc/rfc6632.txt- resources. Note that the IETF does not define any mechanisms related ../data/rfc/rfc6632.txt- to billing and charging. Many technology-specific MIBs (link layer, ../data/rfc/rfc6632.txt- network layer, transport layer, or application layer) contain ../data/rfc/rfc6632.txt: counters but are not primarily targeted for accounting and, ../data/rfc/rfc6632.txt- therefore, are not included in this section. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: "RADIUS Accounting Client MIB for IPv6" [RFC4670] defines RADIUS ../data/rfc/rfc6632.txt: Accounting Client MIB objects that support version-neutral IP ../data/rfc/rfc6632.txt- addressing formats. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: "RADIUS Accounting Server MIB for IPv6" [RFC4671] defines RADIUS ../data/rfc/rfc6632.txt: Accounting Server MIB objects that support version-neutral IP ../data/rfc/rfc6632.txt- addressing formats. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- IPFIX/PSAMP Information Elements: ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- As expressed in Section 2.3, the IPFIX Architecture [RFC5470] defines ../data/rfc/rfc6632.txt- components involved in IP flow measurement and reporting of ../data/rfc/rfc6632.txt- information on IP flows. As such, IPFIX records provide fine-grained ../data/rfc/rfc6632.txt- measurement data for flexible and detailed usage reporting and enable ../data/rfc/rfc6632.txt: usage-based accounting. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-Ersue & Claise Informational [Page 45] -- ../data/rfc/rfc6632.txt- Management Framework For Open Systems Interconnection ../data/rfc/rfc6632.txt- (OSI) For CCITT Applications", September 1992, ../data/rfc/rfc6632.txt- <http://www.itu.int/rec/T-REC-X.700-199209-I/en>. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [IANA-AAA] Internet Assigned Numbers Authority, "Authentication, ../data/rfc/rfc6632.txt: Authorization, and Accounting (AAA) Parameters", ../data/rfc/rfc6632.txt- February 2012, ../data/rfc/rfc6632.txt- <http://www.iana.org/assignments/aaa-parameters>. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [IANA-IPFIX] Internet Assigned Numbers Authority, "IP Flow ../data/rfc/rfc6632.txt- Information Export (IPFIX) Entities", May 2012, -- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6632.txt- "Remote Authentication Dial In User Service ../data/rfc/rfc6632.txt- (RADIUS)", RFC 2865, June 2000. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS ../data/rfc/rfc6632.txt: Accounting Modifications for Tunnel Protocol ../data/rfc/rfc6632.txt- Support", RFC 2867, June 2000. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc6632.txt- Holdrege, M., and I. Goyret, "RADIUS Attributes for ../data/rfc/rfc6632.txt- Tunnel Protocol Support", RFC 2868, June 2000. -- ../data/rfc/rfc6632.txt- IPv6", RFC 4668, August 2006. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for ../data/rfc/rfc6632.txt- IPv6", RFC 4669, August 2006. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", ../data/rfc/rfc6632.txt- RFC 4670, August 2006. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", ../data/rfc/rfc6632.txt- RFC 4671, August 2006. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS ../data/rfc/rfc6632.txt- Dynamic Authorization Client MIB", RFC 4672, ../data/rfc/rfc6632.txt- September 2006. -- ../data/rfc/rfc6632.txt- Sinnreich, "Session Initiation Protocol Event Package ../data/rfc/rfc6632.txt- for Voice Quality Reporting", RFC 6035, ../data/rfc/rfc6632.txt- November 2010. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC6065] Narayan, K., Nelson, D., and R. Presuhn, "Using ../data/rfc/rfc6632.txt: Authentication, Authorization, and Accounting ../data/rfc/rfc6632.txt- Services to Dynamically Provision View-Based Access ../data/rfc/rfc6632.txt- Control Model User-to-Group Mappings", RFC 6065, ../data/rfc/rfc6632.txt- December 2010. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of -- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-A.2. Protocols Matched to Management Tasks ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- This subsection classifies the management protocols matching to the ../data/rfc/rfc6632.txt: management tasks for fault, configuration, accounting, performance, ../data/rfc/rfc6632.txt- and security management. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- +------------+------------+-------------+--------------+------------+ ../data/rfc/rfc6632.txt: | Fault Mgmt | Config. | Accounting | Performance | Security | ../data/rfc/rfc6632.txt- | | Mgmt | Mgmt | Mgmt | Mgmt | ../data/rfc/rfc6632.txt- +------------+------------+-------------+--------------+------------+ ../data/rfc/rfc6632.txt- | SNMP | SNMP | SNMP | SNMP | | ../data/rfc/rfc6632.txt- | notif. | config. | monitoring | monitoring | | ../data/rfc/rfc6632.txt- | with trap | with set | with get | with get | | -- ../data/rfc/rfc6632.txt- | | | | | | ../data/rfc/rfc6632.txt- | PSAMP | NETCONF | PSAMP | PSAMP | | ../data/rfc/rfc6632.txt- | (S. 2.3) | (S. 2.4.1) | (S. 2.3) | (S. 2.3) | | ../data/rfc/rfc6632.txt- | | | | | | ../data/rfc/rfc6632.txt- | Syslog | ANCP | RADIUS | | RADIUS | ../data/rfc/rfc6632.txt: | (S. 2.2) | (S. 3.8) | Accounting | | Authent.& | ../data/rfc/rfc6632.txt- | | | (S. 3.5) | | Authoriz. | ../data/rfc/rfc6632.txt- | | | | | (S. 3.5) | ../data/rfc/rfc6632.txt- | | | | | | ../data/rfc/rfc6632.txt- | | AUTOCONF | Diameter | | Diameter | ../data/rfc/rfc6632.txt: | | (S. 3.1.2) | Accounting | | Authent.& | ../data/rfc/rfc6632.txt- | | | (S. 3.6) | | Authoriz. | ../data/rfc/rfc6632.txt- | | | | | (S. 3.6) | ../data/rfc/rfc6632.txt- | | | | | | ../data/rfc/rfc6632.txt- | | ACAP | | | | ../data/rfc/rfc6632.txt- | | (S. 3.9) | | | | -- ../data/rfc/rfc6632.txt- | NETCONF (except notifications) | NETCONF notifications | ../data/rfc/rfc6632.txt- | (Section 2.4.1) | (Section 2.4.1) | ../data/rfc/rfc6632.txt- | CAPWAP (Section 3.7) | Syslog (Section 2.2) | ../data/rfc/rfc6632.txt- | | IPFIX (Section 2.3) | ../data/rfc/rfc6632.txt- | | PSAMP (Section 2.3) | ../data/rfc/rfc6632.txt: | | RADIUS accounting | ../data/rfc/rfc6632.txt- | | (Section 3.5) | ../data/rfc/rfc6632.txt: | | Diameter accounting | ../data/rfc/rfc6632.txt- | | (Section 3.6) | ../data/rfc/rfc6632.txt- +---------------------------------+---------------------------------+ ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Table 3: Protocol Classification by Push versus Pull Mechanism ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-A.4. Passive versus Active Monitoring ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Monitoring can be divided into two categories: passive and active ../data/rfc/rfc6632.txt- monitoring. Passive monitoring can perform the network traffic ../data/rfc/rfc6632.txt: monitoring, monitoring of a device, or the accounting of network ../data/rfc/rfc6632.txt- resource consumption by users. Active monitoring, as used in this ../data/rfc/rfc6632.txt- document, focuses mainly on active network monitoring and relies on ../data/rfc/rfc6632.txt- the injection of specific traffic (also called "synthetic traffic"), ../data/rfc/rfc6632.txt- which is then monitored. The monitoring focus is indicated in the ../data/rfc/rfc6632.txt: table below as "network", "device", or "accounting". ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- This classification excludes non-monitoring protocols, such as ../data/rfc/rfc6632.txt- configuration protocols: Ad hoc network autoconfiguration, ANCP, and ../data/rfc/rfc6632.txt- XCAP. Note that some of the active monitoring protocols, in the ../data/rfc/rfc6632.txt- context of the data path, e.g., ICMP Ping and Traceroute [RFC1470], -- ../data/rfc/rfc6632.txt- | PSAMP (network) (Section 2.3) | TWAMP (network) (Section 3.4) | ../data/rfc/rfc6632.txt- | SNMP (network and device) | | ../data/rfc/rfc6632.txt- | (Section 2.1) | | ../data/rfc/rfc6632.txt- | NETCONF (device) | | ../data/rfc/rfc6632.txt- | (Section 2.4.1) | | ../data/rfc/rfc6632.txt: | RADIUS (accounting) | | ../data/rfc/rfc6632.txt- | (Section 3.5) | | ../data/rfc/rfc6632.txt: | Diameter (accounting) | | ../data/rfc/rfc6632.txt- | (Section 3.6) | | ../data/rfc/rfc6632.txt- | CAPWAP (device) (Section 3.7) | | ../data/rfc/rfc6632.txt- +---------------------------------+---------------------------------+ ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- Table 4: Protocols for Passive and Active Monitoring and Their -- ../data/rfc/rfc6632.txt- passive monitoring, e.g., with the NETCONF Monitoring YANG module ../data/rfc/rfc6632.txt- [RFC6022] for the monitoring of the NETCONF protocol. CAPWAP ../data/rfc/rfc6632.txt- monitors the status of a Wireless Termination Point. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- RADIUS and diameter are considered passive monitoring protocols as ../data/rfc/rfc6632.txt: they perform accounting, i.e., counting the number of packets/bytes ../data/rfc/rfc6632.txt- for a specific user. ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt-A.5. Supported Data Model Types and Their Extensibility ../data/rfc/rfc6632.txt- ../data/rfc/rfc6632.txt- The following table matches the protocols to the associated data -- ../data/rfc/rfc6632.txt- The basic objective of energy management is operating communication ../data/rfc/rfc6632.txt- networks and other equipment with a minimal amount of energy while ../data/rfc/rfc6632.txt- still providing sufficient performance to meet service-level ../data/rfc/rfc6632.txt- objectives. Today, most networking and network-attached devices ../data/rfc/rfc6632.txt- neither monitor nor allow controlled energy usage as they are mainly ../data/rfc/rfc6632.txt: instrumented for functions such as fault, configuration, accounting, ../data/rfc/rfc6632.txt- performance, and security management. These devices are not ../data/rfc/rfc6632.txt- instrumented to be aware of energy consumption. There are very few ../data/rfc/rfc6632.txt- means specified in IETF documents for energy management, which ../data/rfc/rfc6632.txt- includes the areas of power monitoring, energy monitoring, and power ../data/rfc/rfc6632.txt- state control. Binary file ../data/rfc/rfc674.txt matches -- ../data/rfc/rfc6159.txt-Tsou, et al. Informational [Page 3] ../data/rfc/rfc6159.txt- ../data/rfc/rfc6159.txt-RFC 6159 Diameter Explicit Routing April 2011 ../data/rfc/rfc6159.txt- ../data/rfc/rfc6159.txt- ../data/rfc/rfc6159.txt: Authentication, Authorization, and Accounting (AAA) Relays ../data/rfc/rfc6159.txt- Other Diameter nodes interspersed between the ER-Originator, ../data/rfc/rfc6159.txt- ER-Proxies, and the ER-Destination. These nodes represent ../data/rfc/rfc6159.txt- existing Diameter agents and proxies that do not participate in ER ../data/rfc/rfc6159.txt- and do not recognize Explicit-Path Attribute Value Pairs (AVPs). ../data/rfc/rfc6159.txt- -- ../data/rfc/rfc5164.txt- information to make decisions about what steps to take next. It ../data/rfc/rfc5164.txt- is essential that there is some way to ensure that the information ../data/rfc/rfc5164.txt- received is from a trustworthy source. This requirement should ../data/rfc/rfc5164.txt- reuse trust relationships that have already been established in ../data/rfc/rfc5164.txt- the network, for example, on the relationships established by the ../data/rfc/rfc5164.txt: Authentication, Authorization, and Accounting (AAA) infrastructure ../data/rfc/rfc5164.txt- after a mutual authentication, or on the certificate ../data/rfc/rfc5164.txt- infrastructure required to support SEND [10]. Section 6 provides ../data/rfc/rfc5164.txt- a more complete analysis. ../data/rfc/rfc5164.txt- ../data/rfc/rfc5164.txt- Security association management: A common security association -- ../data/rfc/rfc5973.txt- with respect to the NATFW NSLP protocol interaction. ../data/rfc/rfc5973.txt- ../data/rfc/rfc5973.txt- The security solutions for providing authorization have a direct ../data/rfc/rfc5973.txt- impact on the treatment of different NSLPs. As it can be seen from ../data/rfc/rfc5973.txt- the QoS NSLP [RFC5974] and the corresponding Diameter QoS work ../data/rfc/rfc5973.txt: [RFC5866], accounting and charging seems to play an important role ../data/rfc/rfc5973.txt- for QoS reservations, whereas monetary aspects might only indirectly ../data/rfc/rfc5973.txt- effect authorization decisions for NAT and firewall signaling. ../data/rfc/rfc5973.txt- Hence, there are differences in the semantics of authorization ../data/rfc/rfc5973.txt- handling between QoS and NATFW signaling. A NATFW-aware node will ../data/rfc/rfc5973.txt- most likely want to authorize the entity (e.g., user or machine) -- ../data/rfc/rfc949.txt- include it in a suitable response-code's free text field (unless, of ../data/rfc/rfc949.txt- course, an avalanche of comments comes in urging it not be done at ../data/rfc/rfc949.txt- all)? ../data/rfc/rfc949.txt- ../data/rfc/rfc949.txt- Note, by the way, that the intent here is emphatically not to ../data/rfc/rfc949.txt: sidestep whatever access control, authentication, and accounting ../data/rfc/rfc949.txt- mechanisms Hosts might have in play before the user can do an old ../data/rfc/rfc949.txt- STOR or a new STOU, but with suitable publicized ID's and passwords ../data/rfc/rfc949.txt- it could be almost as good as the proposal made in RFC 505. ../data/rfc/rfc949.txt- ../data/rfc/rfc949.txt-RECOMMENDATION -- ../data/rfc/rfc5247.txt- This document specifies the EAP key hierarchy and provides a ../data/rfc/rfc5247.txt- framework for the transport and usage of keying material and ../data/rfc/rfc5247.txt- parameters generated by EAP methods. It also provides a detailed ../data/rfc/rfc5247.txt- security analysis, describing the conditions under which the ../data/rfc/rfc5247.txt- requirements described in "Guidance for Authentication, ../data/rfc/rfc5247.txt: Authorization, and Accounting (AAA) Key Management" [RFC4962] can be ../data/rfc/rfc5247.txt- satisfied. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt-1.1. Requirements Language ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc5247.txt-Aboba, et al. Standards Track [Page 3] ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt-RFC 5247 EAP Key Management Framework August 2008 ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt: AAA Authentication, Authorization, and Accounting ../data/rfc/rfc5247.txt- AAA protocols with EAP support include "RADIUS Support for EAP" ../data/rfc/rfc5247.txt- [RFC3579] and "Diameter EAP Application" [RFC4072]. In this ../data/rfc/rfc5247.txt- document, the terms "AAA server" and "backend authentication ../data/rfc/rfc5247.txt- server" are used interchangeably. ../data/rfc/rfc5247.txt- -- ../data/rfc/rfc5247.txt- While the authenticator can implement some EAP methods locally and ../data/rfc/rfc5247.txt- use those methods to authenticate local users, it can at the same ../data/rfc/rfc5247.txt- time act as a pass-through for other users and methods, forwarding ../data/rfc/rfc5247.txt- EAP packets back and forth between the backend authentication server ../data/rfc/rfc5247.txt- and the peer. This is accomplished by encapsulating EAP packets ../data/rfc/rfc5247.txt: within the Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5247.txt- protocol spoken between the authenticator and backend authentication ../data/rfc/rfc5247.txt- server. AAA protocols supporting EAP include RADIUS [RFC3579] and ../data/rfc/rfc5247.txt- Diameter [RFC4072]. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- It is a fundamental property of EAP that at the EAP method layer, the -- ../data/rfc/rfc5247.txt- the same authenticator, increasing backend authentication server ../data/rfc/rfc5247.txt- load. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- Since a peer can complete EAP pre-authentication with an ../data/rfc/rfc5247.txt- authenticator without eventually attaching to it, it is possible that ../data/rfc/rfc5247.txt: phase 2 will not occur. In this case, an Accounting-Request ../data/rfc/rfc5247.txt- signifying the start of service will not be sent, or will only be ../data/rfc/rfc5247.txt- sent with a substantial delay after the completion of authentication. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- -- ../data/rfc/rfc5247.txt- distinguishes an EAP pre-authentication attempt, if the authenticator ../data/rfc/rfc5247.txt- does not always include the SSID for a normal EAP authentication ../data/rfc/rfc5247.txt- attempt, it is possible that the backend authentication server will ../data/rfc/rfc5247.txt- not be able to determine whether a session constitutes an EAP ../data/rfc/rfc5247.txt- pre-authentication attempt, potentially resulting in authorization or ../data/rfc/rfc5247.txt: accounting problems. Where the number of simultaneous sessions is ../data/rfc/rfc5247.txt- limited, the backend authentication server can refuse to authorize a ../data/rfc/rfc5247.txt- valid EAP pre-authentication attempt or can enable the peer to engage ../data/rfc/rfc5247.txt- in more simultaneous sessions than they are authorized for. Where ../data/rfc/rfc5247.txt- EAP pre-authentication occurs with an authenticator which the peer ../data/rfc/rfc5247.txt: never attaches to, it is possible that the backend accounting server ../data/rfc/rfc5247.txt- will not be able to determine whether the absence of an ../data/rfc/rfc5247.txt: Accounting-Request was due to packet loss or a session that never ../data/rfc/rfc5247.txt- started. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- In order to enable pre-authentication requests to be handled more ../data/rfc/rfc5247.txt- reliably, it is RECOMMENDED that AAA protocols explicitly identify ../data/rfc/rfc5247.txt- EAP pre-authentication. In order to suppress unnecessary EAP -- ../data/rfc/rfc5247.txt- handoff latency, proactive key distribution schemes typically only ../data/rfc/rfc5247.txt- demonstrate proof of possession of transported keying material ../data/rfc/rfc5247.txt- between the EAP peer and authenticator. During a handoff, the ../data/rfc/rfc5247.txt- backend authentication server is not provided with proof that the ../data/rfc/rfc5247.txt- peer successfully authenticated to an authenticator; instead, the ../data/rfc/rfc5247.txt: authenticator generates a stream of accounting messages without a ../data/rfc/rfc5247.txt- corresponding set of authentication exchanges. As described in ../data/rfc/rfc5247.txt- [MishraPro], knowledge of the neighbor graph can be established via ../data/rfc/rfc5247.txt- static configuration or analysis of authentication exchanges. In ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- -- ../data/rfc/rfc5247.txt-RFC 5247 EAP Key Management Framework August 2008 ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- order to prevent corruption of the neighbor graph, new neighbor graph ../data/rfc/rfc5247.txt- entries can only be created as the result of a successful EAP ../data/rfc/rfc5247.txt: exchange, and accounting packets with no corresponding authentication ../data/rfc/rfc5247.txt- exchange need to be verified to correspond to neighbor graph entries ../data/rfc/rfc5247.txt- (e.g., corresponding to handoffs between neighbors). ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- In order to prevent compromise of one authenticator from resulting in ../data/rfc/rfc5247.txt- compromise of other authenticators, cryptographic separation needs to -- ../data/rfc/rfc5247.txt- authentication messages, an attacker compromising one authenticator ../data/rfc/rfc5247.txt- could corrupt the neighbor graph, tricking the backend authentication ../data/rfc/rfc5247.txt- server into transporting keying material to arbitrary authenticators. ../data/rfc/rfc5247.txt- While this would not enable recovery of EAP keying material without ../data/rfc/rfc5247.txt- breaking fundamental cryptographic assumptions, it could enable ../data/rfc/rfc5247.txt: subsequent fraudulent accounting messages, or allow an attacker to ../data/rfc/rfc5247.txt- disrupt service by increasing load on the backend authentication ../data/rfc/rfc5247.txt- server or thrashing the authenticator key cache. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- Since proactive key distribution requires the distribution of derived ../data/rfc/rfc5247.txt- keying material to candidate authenticators, the effectiveness of -- ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- In Access-Request Packets, the Authenticator value is a 16 octet ../data/rfc/rfc5247.txt- random number, called the Request Authenticator. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- However, some RADIUS packets are not replay protected. In ../data/rfc/rfc5247.txt: Accounting, Disconnect, and Care-of Address (CoA)-Request packets, ../data/rfc/rfc5247.txt- the Request Authenticator contains a keyed Message Integrity Code ../data/rfc/rfc5247.txt: (MIC) rather than a nonce. The Response Authenticator in Accounting, ../data/rfc/rfc5247.txt- Disconnect, and CoA-Response packets also contains a keyed MIC whose ../data/rfc/rfc5247.txt- calculation does not depend on a nonce in either the Request or ../data/rfc/rfc5247.txt- Response packets. Therefore, unless an Event-Timestamp attribute is ../data/rfc/rfc5247.txt- included or IPsec is used, it is possible that the recipient will not ../data/rfc/rfc5247.txt- be able to determine whether these packets have been replayed. This -- ../data/rfc/rfc5247.txt- [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and ../data/rfc/rfc5247.txt- H. Levkowetz, Ed., "Extensible Authentication Protocol ../data/rfc/rfc5247.txt- (EAP)", RFC 3748, June 2004. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for ../data/rfc/rfc5247.txt: Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5247.txt- Key Management", BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt-6.2. Informative References ../data/rfc/rfc5247.txt- ../data/rfc/rfc5247.txt- [8021XPreAuth] Pack, S. and Y. Choi, "Pre-Authenticated Fast Handoff -- ../data/rfc/rfc5787.txt- 3. Reachability ....................................................6 ../data/rfc/rfc5787.txt- 3.1. Node IPv4 Local Prefix Sub-TLV .............................6 ../data/rfc/rfc5787.txt- 3.2. Node IPv6 Local Prefix Sub-TLV .............................7 ../data/rfc/rfc5787.txt- 4. Link Attribute ..................................................8 ../data/rfc/rfc5787.txt- 4.1. Local Adaptation ...........................................8 ../data/rfc/rfc5787.txt: 4.2. Bandwidth Accounting .......................................9 ../data/rfc/rfc5787.txt- 5. Routing Information Scope .......................................9 ../data/rfc/rfc5787.txt- 5.1. Terminology and Identification .............................9 ../data/rfc/rfc5787.txt- 5.2. Link Advertisement (Local and Remote TE Router ID ../data/rfc/rfc5787.txt- Sub-TLV) ..................................................10 ../data/rfc/rfc5787.txt- 5.3. Reachability Advertisement (Local TE Router ID sub-TLV) ...11 -- ../data/rfc/rfc5787.txt- in any compatibility issues. ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt- Further refinement of the ISCD sub-TLV for multi-layer networks is ../data/rfc/rfc5787.txt- outside the scope of this document. ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt:4.2. Bandwidth Accounting ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt- GMPLS routing defines an Interface Switching Capability Descriptor ../data/rfc/rfc5787.txt- (ISCD) that delivers, among other things, information about the ../data/rfc/rfc5787.txt- (maximum/minimum) bandwidth per priority that a Label Switched Path ../data/rfc/rfc5787.txt- (LSP) can make use of. Per [RFC4202] and [RFC4203], one or more ISCD ../data/rfc/rfc5787.txt- sub-TLVs can be associated with an interface. This information, ../data/rfc/rfc5787.txt- combined with the Unreserved Bandwidth (sub-TLV defined in [RFC3630], ../data/rfc/rfc5787.txt: Section 2.5.8), provides the basis for bandwidth accounting. ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt- In the ASON context, additional information may be included when the ../data/rfc/rfc5787.txt- representation and information in the other advertised fields are not ../data/rfc/rfc5787.txt- sufficient for a specific technology (e.g., SDH). The definition of ../data/rfc/rfc5787.txt- technology-specific information elements is beyond the scope of this -- ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt- Management plane: performs management functions for the transport ../data/rfc/rfc5787.txt- plane, the control plane, and the system as a whole. It also ../data/rfc/rfc5787.txt- provides coordination between all the planes. The following ../data/rfc/rfc5787.txt- management functional areas are performed in the management plane: ../data/rfc/rfc5787.txt: performance, fault, configuration, accounting, and security ../data/rfc/rfc5787.txt- management. ../data/rfc/rfc5787.txt- ../data/rfc/rfc5787.txt- Management domain: (See Recommendation G.805.) A management domain ../data/rfc/rfc5787.txt- defines a collection of managed objects that are grouped to meet ../data/rfc/rfc5787.txt- organizational requirements according to geography, technology, -- ../data/rfc/rfc4673.txt- to handle the Disconnect and Change-of-Authorization (CoA) messages ../data/rfc/rfc4673.txt- as described in [RFC3576]. As a result, the effective management of ../data/rfc/rfc4673.txt- RADIUS Dynamic Authorization entities is of considerable importance. ../data/rfc/rfc4673.txt- This RADIUS Dynamic Authorization Server (DAS) MIB complements the ../data/rfc/rfc4673.txt- managed objects used for managing RADIUS authentication and ../data/rfc/rfc4673.txt: accounting clients as described in [RFC4668] and [RFC4670], ../data/rfc/rfc4673.txt- respectively. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt-1.1. Requirements Notation ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc4673.txt- [RFC4671] describes the MIB for a RADIUS Acct Server MIB. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- [RFC4672] describes the MIB for a RADIUS Dynamic Auth Client. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- A NAS typically implements the MIBs for a RADIUS Authentication ../data/rfc/rfc4673.txt: Client, a RADIUS accounting client, and a RADIUS Dynamic ../data/rfc/rfc4673.txt- Authorization Server. However, any one MIB can be implemented ../data/rfc/rfc4673.txt- without implementing any of the other MIBs; i.e., the MIBs have no ../data/rfc/rfc4673.txt- dependencies on each other. A typical case would be for a device to ../data/rfc/rfc4673.txt: implement the MIBs RADIUS authentication server, RADIUS accounting ../data/rfc/rfc4673.txt- server, and RADIUS Dynamic Authorization Client. A RADIUS proxy ../data/rfc/rfc4673.txt- might implement any, all, or a subset of the MIBs listed above and ../data/rfc/rfc4673.txt- the MIB as defined in this document. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- -- ../data/rfc/rfc4673.txt- RFC 4668, August 2006. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", ../data/rfc/rfc4673.txt- RFC 4669, August 2006. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt: [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC ../data/rfc/rfc4673.txt- 4670, August 2006. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt: [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC ../data/rfc/rfc4673.txt- 4671, August 2006. ../data/rfc/rfc4673.txt- ../data/rfc/rfc4673.txt- [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic ../data/rfc/rfc4673.txt- Authorization Client MIB", RFC 4672, September 2006. ../data/rfc/rfc4673.txt- -- ../data/rfc/rfc6036.txt- balancers; VPN boxes; some SIP platforms; management interfaces & ../data/rfc/rfc6036.txt- systems; firewalls; billing systems. When asked if such devices can ../data/rfc/rfc6036.txt- be field-upgraded, the answers were gloomy: 5 yes, 4 partially, 10 ../data/rfc/rfc6036.txt- no, and numerous "don't know" or "hopefully". ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt: 84% support or plan DNS Authentication, Authorization, Accounting, ../data/rfc/rfc6036.txt- and Auditing (AAAA) queries over IPv6, and all but one of these ../data/rfc/rfc6036.txt- include reverse DNS lookup for IPv6. ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- The ISPs surveyed have prefixes ranging from /19 to /48, and have a ../data/rfc/rfc6036.txt- variety of policies for customer prefixes. Fifteen ISPs offer more -- ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- About 50% of ISPs already operate or plan dual-stack SMTP, Post ../data/rfc/rfc6036.txt- Office Protocol 3 (POP3), IMAP, and HTTP services. In terms of ../data/rfc/rfc6036.txt- internal services, it seems that firewalls, intrusion detection, ../data/rfc/rfc6036.txt- address management, monitoring, and network management tools are also ../data/rfc/rfc6036.txt: around the 50% mark. However, accounting and billing software is ../data/rfc/rfc6036.txt- only ready at 23% of ISPs. ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- Considering IPv4-IPv6 interworking, 58% of ISPs don't expect to have ../data/rfc/rfc6036.txt- IPv6-only customers (but mobile operators are certain they will have ../data/rfc/rfc6036.txt- millions). Five ISPs report customers who explicitly refused to -- ../data/rfc/rfc6036.txt-RFC 6036 ISP IPv6 Scenarios October 2010 ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- o Intrusion detection systems ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt: o Accounting and billing systems ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- It is not the purpose of this document to name and shame vendors, but ../data/rfc/rfc6036.txt- today it is becoming urgent for all products to avoid becoming part ../data/rfc/rfc6036.txt- of the IPv4 legacy. ISPs stated that they want consistent feature- ../data/rfc/rfc6036.txt- equivalent support for IPv4 and IPv6 in all equipment and software at -- ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- * Intrusion detection: 10 yes, 2 plan, 13 no ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- * Address management software: 15 yes, 1 plan, 13 no ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt: * Accounting software: 7 yes, 21 no ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- * Monitoring software: 16 yes, 2 partial, 2 plan, 11 no ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- * Network management tools: 13 yes, 4 partial, 1 plan, 11 no ../data/rfc/rfc6036.txt- -- ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- 28.2. Intrusion detection ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- 28.3. Address management software ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt: 28.4. Accounting software ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- 28.5. Monitoring software ../data/rfc/rfc6036.txt- ../data/rfc/rfc6036.txt- 28.6. Network management tools ../data/rfc/rfc6036.txt- -- ../data/rfc/rfc3466.txt- provider to deliver copies of origin server content to clients from ../data/rfc/rfc3466.txt- multiple diverse locations. The increase in number and diversity of ../data/rfc/rfc3466.txt- location is intended to improve download times and thus improve the ../data/rfc/rfc3466.txt- user experience. A CDN has some combination of a content-delivery ../data/rfc/rfc3466.txt- infrastructure, a request-routing infrastructure, a distribution ../data/rfc/rfc3466.txt: infrastructure, and an accounting infrastructure. The content- ../data/rfc/rfc3466.txt- delivery infrastructure consists of a set of "surrogate" servers [3] ../data/rfc/rfc3466.txt- that deliver copies of content to sets of users. The request-routing ../data/rfc/rfc3466.txt- infrastructure consists of mechanisms that move a client toward a ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- -- ../data/rfc/rfc3466.txt-RFC 3466 A Model for Content Internetworking (CDI) February 2003 ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- rendezvous with a surrogate. The distribution infrastructure ../data/rfc/rfc3466.txt- consists of mechanisms that move content from the origin server to ../data/rfc/rfc3466.txt: the surrogates. Finally, the accounting infrastructure tracks and ../data/rfc/rfc3466.txt- collects data on request-routing, distribution, and delivery ../data/rfc/rfc3466.txt- functions within the CDN. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- The following diagram depicts a simple CDN as described above: ../data/rfc/rfc3466.txt- -- ../data/rfc/rfc3466.txt- internetworking and this vocabulary are applicable to other protocols ../data/rfc/rfc3466.txt- and styles of content delivery. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- Phrases in upper-case refer to other defined terms. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt: ACCOUNTING ../data/rfc/rfc3466.txt- Measurement and recording of DISTRIBUTION and DELIVERY activities, ../data/rfc/rfc3466.txt- especially when the information recorded is ultimately used as a ../data/rfc/rfc3466.txt- basis for the subsequent transfer of money, goods, or obligations. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt: ACCOUNTING SYSTEM ../data/rfc/rfc3466.txt: A collection of CONTENT NETWORK ELEMENTS that supports ACCOUNTING ../data/rfc/rfc3466.txt- for a single CONTENT NETWORK. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- AUTHORITATIVE REQUEST-ROUTING SYSTEM ../data/rfc/rfc3466.txt- The REQUEST-ROUTING SYSTEM that is the correct/final authority for ../data/rfc/rfc3466.txt- a particular item of CONTENT. -- ../data/rfc/rfc3466.txt- CDN ../data/rfc/rfc3466.txt- Content Delivery Network or Content Distribution Network. A type ../data/rfc/rfc3466.txt- of CONTENT NETWORK in which the CONTENT NETWORK ELEMENTS are ../data/rfc/rfc3466.txt- arranged for more effective delivery of CONTENT to CLIENTS. ../data/rfc/rfc3466.txt- Typically a CDN consists of a REQUEST-ROUTING SYSTEM, SURROGATES, ../data/rfc/rfc3466.txt: a DISTRIBUTION SYSTEM, and an ACCOUNTING SYSTEM. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- -- ../data/rfc/rfc3466.txt-Day, et al. Informational [Page 12] ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt-RFC 3466 A Model for Content Internetworking (CDI) February 2003 ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt: ACCOUNTING INTERNETWORKING ../data/rfc/rfc3466.txt: Interconnection of two or more ACCOUNTING SYSTEMS so as to enable ../data/rfc/rfc3466.txt: the exchange of information between them. The form of ACCOUNTING ../data/rfc/rfc3466.txt- INTERNETWORKING required may depend on the nature of the ../data/rfc/rfc3466.txt- NEGOTIATED RELATIONSHIP between the peering parties -- in ../data/rfc/rfc3466.txt- particular, on the value of the economic exchanges anticipated. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ADVERTISEMENT -- ../data/rfc/rfc3466.txt- about aspects of topology, geography and performance of a CONTENT ../data/rfc/rfc3466.txt- NETWORK. Contrast with CONTENT ADVERTISEMENT, DISTRIBUTION ../data/rfc/rfc3466.txt- ADVERTISEMENT. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- BILLING ORGANIZATION ../data/rfc/rfc3466.txt: An entity that operates an ACCOUNTING SYSTEM to support billing ../data/rfc/rfc3466.txt- within a NEGOTIATED RELATIONSHIP with a PUBLISHER. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- CONTENT ADVERTISEMENT ../data/rfc/rfc3466.txt- ADVERTISEMENT from a CONTENT NETWORK's REQUEST-ROUTING SYSTEM ../data/rfc/rfc3466.txt- about the availability of one or more collections of CONTENT on a -- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- CONTENT INTERNETWORKING GATEWAY (CIG) ../data/rfc/rfc3466.txt- An identifiable element or system through which a CONTENT NETWORK ../data/rfc/rfc3466.txt- can be interconnected with others. A CIG may be the point of ../data/rfc/rfc3466.txt- contact for DISTRIBUTION INTERNETWORKING, REQUEST-ROUTING ../data/rfc/rfc3466.txt: INTERNETWORKING, and/or ACCOUNTING INTERNETWORKING, and thus may ../data/rfc/rfc3466.txt- incorporate some or all of the corresponding systems for the ../data/rfc/rfc3466.txt- CONTENT NETWORK. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- CONTENT REPLICATION ../data/rfc/rfc3466.txt- The movement of CONTENT from a CONTENT SOURCE to a CONTENT -- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ENLISTED ../data/rfc/rfc3466.txt- Describes a CONTENT NETWORK that, as part of a NEGOTIATED ../data/rfc/rfc3466.txt- RELATIONSHIP, has accepted a DISTRIBUTION task from another ../data/rfc/rfc3466.txt- CONTENT NETWORK, has agreed to perform REQUEST-ROUTING on behalf ../data/rfc/rfc3466.txt: of another CONTENT NETWORK, or has agreed to provide ACCOUNTING ../data/rfc/rfc3466.txt- data to another CONTENT NETWORK. Contrast with ORIGINATING. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- INJECTION ../data/rfc/rfc3466.txt- A "send-only" form of DISTRIBUTION INTERNETWORKING that takes ../data/rfc/rfc3466.txt- place from an ORIGIN to a CONTENT DESTINATION. -- ../data/rfc/rfc3466.txt- ORIGINATING ../data/rfc/rfc3466.txt- Describes a CONTENT NETWORK that, as part of a NEGOTIATED ../data/rfc/rfc3466.txt- RELATIONSHIP, submits a DISTRIBUTION task to another CONTENT ../data/rfc/rfc3466.txt- NETWORK, asks another CONTENT NETWORK to perform REQUEST-ROUTING ../data/rfc/rfc3466.txt- on its behalf, or asks another CONTENT NETWORK to provide ../data/rfc/rfc3466.txt: ACCOUNTING data. Contrast with ENLISTED. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- -- ../data/rfc/rfc3466.txt- when both ORIGINATING and ENLISTED networks are involved. CONTENT ../data/rfc/rfc3466.txt- INTERNETWORKING GATEWAYS must allow for mechanisms to prevent theft ../data/rfc/rfc3466.txt- or corruption of CONTENT. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- Secure meta-content transfer: CONTENT INTERNETWORKING GATEWAYS must ../data/rfc/rfc3466.txt: support the movement of accurate, reliable, auditable ACCOUNTING ../data/rfc/rfc3466.txt- information between CONTENT NETWORKS. CONTENT INTERNETWORKING ../data/rfc/rfc3466.txt- GATEWAYS must allow for mechanisms to prevent the diversion or ../data/rfc/rfc3466.txt: corruption of ACCOUNTING data and similar meta-content. ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt-7. Acknowledgements ../data/rfc/rfc3466.txt- ../data/rfc/rfc3466.txt- The authors acknowledge the contributions and comments of Fred ../data/rfc/rfc3466.txt- Douglis (AT&T), Don Gilletti (CacheFlow), Markus Hoffmann (Lucent), -- ../data/rfc/rfc4186.txt- ../data/rfc/rfc4186.txt- This document frequently uses the following terms and abbreviations: ../data/rfc/rfc4186.txt- ../data/rfc/rfc4186.txt- AAA protocol ../data/rfc/rfc4186.txt- ../data/rfc/rfc4186.txt: Authentication, Authorization, and Accounting protocol ../data/rfc/rfc4186.txt- ../data/rfc/rfc4186.txt- AuC ../data/rfc/rfc4186.txt- ../data/rfc/rfc4186.txt- Authentication Centre. The GSM network element that provides ../data/rfc/rfc4186.txt- the authentication triplets for authenticating -- ../data/rfc/rfc2768.txt- services requiring research and development. The workshop ../data/rfc/rfc2768.txt- participants discussed the definition of middleware in general, ../data/rfc/rfc2768.txt- examined the applications perspective, detailed underlying network ../data/rfc/rfc2768.txt- transport capabilities relevant to middleware services, and then ../data/rfc/rfc2768.txt- covered various specific examples of middleware components. These ../data/rfc/rfc2768.txt: included APIs, authentication, authorization, and accounting (AAA) ../data/rfc/rfc2768.txt- issues, policy framework, directories, resource management, networked ../data/rfc/rfc2768.txt- information discovery and retrieval services, quality of service, ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- -- ../data/rfc/rfc2768.txt- with remote execution, or for linking together multiple processing ../data/rfc/rfc2768.txt- steps. ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt-6.0 IETF AAA ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt: The IETF AAA (authentication, authorization, and accounting) effort ../data/rfc/rfc2768.txt- is but one of many IETF security initiatives. It depends heavily on a ../data/rfc/rfc2768.txt- Public key infrastructure, which is intended to provide a framework ../data/rfc/rfc2768.txt- which will support a range of trust/hierarchy environments and a ../data/rfc/rfc2768.txt- range of usage environments (RFC1422 is an example of one such ../data/rfc/rfc2768.txt- model). -- ../data/rfc/rfc2768.txt- group efforts are focused on many issues pertaining to middleware, ../data/rfc/rfc2768.txt- including defining processes for access/admission control and ../data/rfc/rfc2768.txt- identification (process for determining a unique entity), ../data/rfc/rfc2768.txt- authentication (process for validating that identity), authorization ../data/rfc/rfc2768.txt- (process for determining an eligibility for resource ../data/rfc/rfc2768.txt: requests/utilization) and accounting (at least to the degree that ../data/rfc/rfc2768.txt- resource utilization is recorded). To some degree, AAA provides for ../data/rfc/rfc2768.txt- addressing certain levels of security, but only at a preliminary ../data/rfc/rfc2768.txt- level. Currently, AAA protocols exist, although not as an integrated ../data/rfc/rfc2768.txt- model or standard. One consideration for AAA is to provide for ../data/rfc/rfc2768.txt- various levels of granularity. Even if we don't yet have an -- ../data/rfc/rfc2768.txt- attention must be paid to providing the end-user/customer or network ../data/rfc/rfc2768.txt- administrator with the tools they require to securely and dynamically ../data/rfc/rfc2768.txt- manage an adaptable network infrastructure. Differentiated services ../data/rfc/rfc2768.txt- means that theoretically some traffic gets better service than other ../data/rfc/rfc2768.txt- traffic; subsequently, one can expect to pay for better service, ../data/rfc/rfc2768.txt: which means that accounting and billing services will be one of the ../data/rfc/rfc2768.txt- important middleware core components that others will rely upon. The ../data/rfc/rfc2768.txt- model and protocols necessary to accomplish this are not developed ../data/rfc/rfc2768.txt- yet. ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt:12.0 Authentication, Authorization, and Accounting ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- The IETF's AAA working group is focusing on the requirements for ../data/rfc/rfc2768.txt: supporting authentication, authorization, accounting, and auditing of ../data/rfc/rfc2768.txt- access to and services provided by network resource managers (e.g., ../data/rfc/rfc2768.txt- bandwidth brokers). These processes constitute an important security ../data/rfc/rfc2768.txt- infrastructure that will be relied upon by middleware and ../data/rfc/rfc2768.txt- applications. However, these components are only basic security ../data/rfc/rfc2768.txt- components. A public key infrastructure (PKI) was identified as a ../data/rfc/rfc2768.txt- crucial security service infrastructure component. For example, the ../data/rfc/rfc2768.txt- PKI will be required to support the transitivity of authentication, ../data/rfc/rfc2768.txt: authorization, and access control and, where appropriate, accounting ../data/rfc/rfc2768.txt- and billing. It was noted that, except for issues dealing with group ../data/rfc/rfc2768.txt- security and possibly more efficient and simple management, there are ../data/rfc/rfc2768.txt- no real technical challenges preventing the wide scale deployment of ../data/rfc/rfc2768.txt- a PKI support structure at this time. Instead, the main obstacles to ../data/rfc/rfc2768.txt- overcome are mostly political and economic in nature. However, -- ../data/rfc/rfc2768.txt- public key infrastructure, notary services and provenance ../data/rfc/rfc2768.txt- verification. As we move from a relatively dumb network (e.g. best ../data/rfc/rfc2768.txt- effort IP) to an Internet with embedded intelligence (e.g., DiffServ, ../data/rfc/rfc2768.txt- IntServ, bandwidth brokers, directory-enabled networks, etc.), the ../data/rfc/rfc2768.txt- secure exchange of information will become even more important. In ../data/rfc/rfc2768.txt: addition, as we start to provide differentiated services, accounting ../data/rfc/rfc2768.txt- and statistics gathering will become much more important. We also ../data/rfc/rfc2768.txt- need to provide for the integrity and security of collecting, ../data/rfc/rfc2768.txt- analyzing, and transporting network management and monitoring ../data/rfc/rfc2768.txt- information. And the issues of data privacy and integrity, along ../data/rfc/rfc2768.txt- with addressing denial of service and non-repudiation, cannot be -- ../data/rfc/rfc2768.txt- network management or high energy physics applications) wishing to ../data/rfc/rfc2768.txt- utilize the network or distributed data/computation infrastructure. ../data/rfc/rfc2768.txt- This document discusses some of the basic and core middleware ../data/rfc/rfc2768.txt- services, which include, but are not limited to: directories, ../data/rfc/rfc2768.txt- name/address resolution services, security services (i.e., ../data/rfc/rfc2768.txt: authentication, authorization, accounting, and access control), ../data/rfc/rfc2768.txt: network management, network monitoring, time servers, and accounting. ../data/rfc/rfc2768.txt- Network level capabilities, such as multicast and DiffServ, are not ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt-Aiken, et al. Informational [Page 24] -- ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- classified as middleware; rather, they are enabling infrastructure ../data/rfc/rfc2768.txt- services upon which middleware will be built or which middleware may ../data/rfc/rfc2768.txt- use and manage. A second level of important middleware services, ../data/rfc/rfc2768.txt- which builds upon these core set of services, may include ../data/rfc/rfc2768.txt: accounting/billing, resource managers, single sign-on services, ../data/rfc/rfc2768.txt- globally unique names, metadata servers, and locators. ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- A recognized goal is to provide a set of middleware services that ../data/rfc/rfc2768.txt- enable access to and management of the underlying network ../data/rfc/rfc2768.txt- infrastructure and support applications wishing to make use of that -- ../data/rfc/rfc2768.txt- - avoiding deadlock and ensuring efficiency with resource managers ../data/rfc/rfc2768.txt- - network management tools and APIs that provide macroscopic and ../data/rfc/rfc2768.txt- microscopic real-time infrastructure ../data/rfc/rfc2768.txt- - information to middleware services and applications (not just MIBs ../data/rfc/rfc2768.txt- and SNMP access) ../data/rfc/rfc2768.txt: - domain and inter-domain accounting and billing ../data/rfc/rfc2768.txt- - monitoring and verification services of contracted infrastructure ../data/rfc/rfc2768.txt- services ../data/rfc/rfc2768.txt- - enhanced locators that can locate resources and resource managers ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- -- ../data/rfc/rfc2768.txt- ../data/rfc/rfc2768.txt- - cross administrative policy negotiation and authentication ../data/rfc/rfc2768.txt- - middleware bypass (i.e. access to raw system or network resources ../data/rfc/rfc2768.txt- metadata (i.e., data that is used to describe data found in ../data/rfc/rfc2768.txt- directories or exchanged between services such as resource ../data/rfc/rfc2768.txt: managers, PDPs, PEPs, directories, accounting and billing ../data/rfc/rfc2768.txt- services, etc.) ../data/rfc/rfc2768.txt- - middleware support for mobile or nomadic use ../data/rfc/rfc2768.txt- - support for availability of resources (i.e. replication and load ../data/rfc/rfc2768.txt- balancing ../data/rfc/rfc2768.txt- -- ../data/rfc/rfc8256.txt- ../data/rfc/rfc8256.txt- As an example, the old and new transport resources (e.g., LSP ../data/rfc/rfc8256.txt- tunnels) might compete with each other for resources that they have ../data/rfc/rfc8256.txt- in common. Depending on availability of resources, this competition ../data/rfc/rfc8256.txt- can cause admission control to prevent the new LSP tunnel from being ../data/rfc/rfc8256.txt: established as this bandwidth accounting deviates from the ../data/rfc/rfc8256.txt- traditional (non-control plane) management-system operation. While ../data/rfc/rfc8256.txt- SPMEs can be applied in any network context (single-domain, multi- ../data/rfc/rfc8256.txt- domain, single-carrier, multi-carrier, etc.), the main applications ../data/rfc/rfc8256.txt- are in inter-carrier or inter-domain segment monitoring where they ../data/rfc/rfc8256.txt- are typically preconfigured or pre-instantiated. SPME instantiates a -- ../data/rfc/rfc5572.txt- connectivity and a prefix to the internal network. ../data/rfc/rfc5572.txt- ../data/rfc/rfc5572.txt- Automation of the prefix assignment and DNS delegation, done by TSP, ../data/rfc/rfc5572.txt- is a very important feature for a provider in order to substantially ../data/rfc/rfc5572.txt- decrease support costs. The provider can use the same ../data/rfc/rfc5572.txt: Authentication, Authorization, and Accounting (AAA) database that is ../data/rfc/rfc5572.txt- used to authenticate the IPv4 broadband users. Customers can deploy ../data/rfc/rfc5572.txt- home IPv6 networks without any intervention of the provider support ../data/rfc/rfc5572.txt- people. ../data/rfc/rfc5572.txt- ../data/rfc/rfc5572.txt- With the NAT discovery function of TSP, providers can use the same -- ../data/rfc/rfc5873.txt- used for proactively executing EAP authentication and establishing a ../data/rfc/rfc5873.txt- PANA SA (Security Association) between a PaC in an access network and ../data/rfc/rfc5873.txt- a PAA in another access network to which the PaC may move. The ../data/rfc/rfc5873.txt- extension to the PANA protocol is designed to realize direct ../data/rfc/rfc5873.txt- pre-authentication defined in [RFC5836]. How to realize ../data/rfc/rfc5873.txt: authorization and accounting with the use of the pre-authentication ../data/rfc/rfc5873.txt- extension is out of the scope of this document. ../data/rfc/rfc5873.txt- ../data/rfc/rfc5873.txt-1.1. Specification of Requirements ../data/rfc/rfc5873.txt- ../data/rfc/rfc5873.txt- In this document, several words are used to signify the requirements -- ../data/rfc/rfc1280.txt-Internet Activities Board [Page 17] ../data/rfc/rfc1280.txt- ../data/rfc/rfc1280.txt-RFC 1280 IAB Standards March 1992 ../data/rfc/rfc1280.txt- ../data/rfc/rfc1280.txt- ../data/rfc/rfc1280.txt: 1272 - Internet Accounting: Background ../data/rfc/rfc1280.txt- ../data/rfc/rfc1280.txt- This is an information document and does not specify any ../data/rfc/rfc1280.txt- level of standard. ../data/rfc/rfc1280.txt- ../data/rfc/rfc1280.txt- 1271 - Remote Network Monitoring Management Information Base -- ../data/rfc/rfc900.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc900.txt- 150 Xerox NS IDP [97,LLG] ../data/rfc/rfc900.txt- 151 Unassigned [JBP] ../data/rfc/rfc900.txt- 152 PARC Universal Protocol [11,HGM] ../data/rfc/rfc900.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc900.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc900.txt- 155 Internet Protocol [regular] [31,71,JBP] ../data/rfc/rfc900.txt- 156-158 Internet Protocol [experimental] [31,71,JBP] ../data/rfc/rfc900.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc900.txt- 160-195 Unassigned [JBP] ../data/rfc/rfc900.txt- 196-247 Experimental Protocols [JBP] -- ../data/rfc/rfc3002.txt- the existing IETF Next Generation Transition (ngtrans) working group, ../data/rfc/rfc3002.txt- provided any mobile IP interoperation issues be identified. ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt-4.4.3 ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt: Scalable and widespread authentication, authorization, and accounting ../data/rfc/rfc3002.txt- (AAA) services are critical to the deployment of commercial services ../data/rfc/rfc3002.txt- based on (wireless) mobile IP. Some work is progressing on ../data/rfc/rfc3002.txt- definition of these standards for IP mobility [26,49]. However, due ../data/rfc/rfc3002.txt- to the pivotal role of these protocols on the ability to deploy ../data/rfc/rfc3002.txt- commercial services, it was recommended to make finalization of these -- ../data/rfc/rfc3002.txt- [6] Allman, M., Dawkins, S., Glover, D., Griner, J., Tran, D., ../data/rfc/rfc3002.txt- Henderson, T., Heidemann, J., Touch, J., Kruse, H., Ostermann, ../data/rfc/rfc3002.txt- S., Scott, K. and J. Semke, "Ongoing TCP Research Related to ../data/rfc/rfc3002.txt- Satellites", RFC 2760, February 2000. ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt: [7] Arkko, J., "Requirements for Internet-Scale Accounting ../data/rfc/rfc3002.txt- Management", Work in Progress. ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt- [8] Bates, T., Chandra, R., Katz, D. and Y. Rekhter, "Multiprotocol ../data/rfc/rfc3002.txt- Extensions for BGP-4", RFC 2283, February 1998. ../data/rfc/rfc3002.txt- -- ../data/rfc/rfc3002.txt- [25] Floyd, S., Mahdavi, J., Mathis, M. and M. Podolsky, "An ../data/rfc/rfc3002.txt- Extension to the Selective Acknowledgment (SACK) Option for ../data/rfc/rfc3002.txt- TCP", RFC 2883, July 2000. ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt- [26] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP ../data/rfc/rfc3002.txt: Authentication, Authorization, and Accounting Requirements", RFC ../data/rfc/rfc3002.txt- 2977, October 2000. ../data/rfc/rfc3002.txt- ../data/rfc/rfc3002.txt- [27] Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying the ../data/rfc/rfc3002.txt- location of services (DNS SRV)", RFC 2052, October 1996. ../data/rfc/rfc3002.txt- -- ../data/rfc/rfc5977.txt- |<---------------------------------------------+ ../data/rfc/rfc5977.txt- ../data/rfc/rfc5977.txt- Figure 24: RMD message exchange ../data/rfc/rfc5977.txt- ../data/rfc/rfc5977.txt- Authorizing quality-of-service reservations is accomplished using the ../data/rfc/rfc5977.txt: Authentication, Authorization, and Accounting (AAA) framework and the ../data/rfc/rfc5977.txt- functionality is inherited from the underlying NSIS QoS NSLP, see ../data/rfc/rfc5977.txt- [RFC5974], and not described again in this document. As a technical ../data/rfc/rfc5977.txt- solution mechanism, the Diameter QoS application [RFC5866] may be ../data/rfc/rfc5977.txt- used. The end-to-end reservation request arriving at the Ingress ../data/rfc/rfc5977.txt- node will trigger the authorization procedure with the backend AAA -- ../data/rfc/rfc6041.txt- 4.1.5. QoS Capabilities Exchange and Configuration .........7 ../data/rfc/rfc6041.txt- 4.1.6. Security Exchange ...................................7 ../data/rfc/rfc6041.txt- 4.1.7. Filtering Exchange and Firewalls ....................7 ../data/rfc/rfc6041.txt- 4.1.8. Encapsulation/Tunneling Exchange ....................7 ../data/rfc/rfc6041.txt- 4.1.9. NAT and Application-Level Gateways ..................7 ../data/rfc/rfc6041.txt: 4.1.10. Measurement and Accounting .........................7 ../data/rfc/rfc6041.txt- 4.1.11. Diagnostics ........................................8 ../data/rfc/rfc6041.txt- 4.1.12. Redundancy and Failover ............................8 ../data/rfc/rfc6041.txt- 4.2. CE-FE Link Capability ......................................8 ../data/rfc/rfc6041.txt- 4.3. CE/FE Locality .............................................8 ../data/rfc/rfc6041.txt- 5. Security Considerations .........................................9 -- ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt- o Encapsulation/Tunneling Exchange ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt- o NAT and Application-Level Gateways ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt: o Measurement and Accounting ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt- o Diagnostics ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt- o CE Redundancy or CE Failover ../data/rfc/rfc6041.txt- -- ../data/rfc/rfc6041.txt- ForCES may be used to exchange configuration information for Network ../data/rfc/rfc6041.txt- Address Translators. Whilst ForCES is not specifically designed for ../data/rfc/rfc6041.txt- the configuration of application-level gateway functionality, this ../data/rfc/rfc6041.txt- may be in scope for some types of application-level gateways. ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt:4.1.10. Measurement and Accounting ../data/rfc/rfc6041.txt- ../data/rfc/rfc6041.txt- ForCES may be used to exchange configuration information regarding ../data/rfc/rfc6041.txt: traffic measurement and accounting functionality. In this area, ../data/rfc/rfc6041.txt- ForCES may overlap somewhat with functionality provided by network ../data/rfc/rfc6041.txt- management mechanisms such as the Simple Network Management Protocol ../data/rfc/rfc6041.txt- (SNMP). In some cases, ForCES may be used to convey information to ../data/rfc/rfc6041.txt- the CE to be reported externally using SNMP. A further discussion of ../data/rfc/rfc6041.txt- this capability is covered in Section 6 of this document. -- ../data/rfc/rfc2058.txt-1. Introduction ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2058.txt- users can create the need for significant administrative support. ../data/rfc/rfc2058.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2058.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2058.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2058.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2058.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2058.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2058.txt- -- ../data/rfc/rfc2058.txt- RADIUS Codes (decimal) are assigned as follows: ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- 1 Access-Request ../data/rfc/rfc2058.txt- 2 Access-Accept ../data/rfc/rfc2058.txt- 3 Access-Reject ../data/rfc/rfc2058.txt: 4 Accounting-Request ../data/rfc/rfc2058.txt: 5 Accounting-Response ../data/rfc/rfc2058.txt- 11 Access-Challenge ../data/rfc/rfc2058.txt- 12 Status-Server (experimental) ../data/rfc/rfc2058.txt- 13 Status-Client (experimental) ../data/rfc/rfc2058.txt- 255 Reserved ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt: Codes 4 and 5 will be covered in the RADIUS Accounting document [9], ../data/rfc/rfc2058.txt- and are not further mentioned here. Codes 12 and 13 are reserved for ../data/rfc/rfc2058.txt- possible use, but are not further mentioned here. ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt-Identifier ../data/rfc/rfc2058.txt- -- ../data/rfc/rfc2058.txt- In the section below on "Attributes" where the text refers to which ../data/rfc/rfc2058.txt- packets an attribute is allowed in, only packets with Codes 1, 2, 3 ../data/rfc/rfc2058.txt- and 11 and attributes defined in this document are covered in this ../data/rfc/rfc2058.txt- document. A summary table is provided at the end of the "Attributes" ../data/rfc/rfc2058.txt- section. To determine which Attributes are allowed in packets with ../data/rfc/rfc2058.txt: codes 4 and 5 refer to the RADIUS Accounting document [9]. ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt-4. Packet Types ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- The RADIUS Packet type is determined by the Code field in the first ../data/rfc/rfc2058.txt- octet of the Packet. -- ../data/rfc/rfc2058.txt- 35 Login-LAT-Node ../data/rfc/rfc2058.txt- 36 Login-LAT-Group ../data/rfc/rfc2058.txt- 37 Framed-AppleTalk-Link ../data/rfc/rfc2058.txt- 38 Framed-AppleTalk-Network ../data/rfc/rfc2058.txt- 39 Framed-AppleTalk-Zone ../data/rfc/rfc2058.txt: 40-59 (reserved for accounting) ../data/rfc/rfc2058.txt- 60 CHAP-Challenge ../data/rfc/rfc2058.txt- 61 NAS-Port-Type ../data/rfc/rfc2058.txt- 62 Port-Limit ../data/rfc/rfc2058.txt- 63 Login-LAT-Port ../data/rfc/rfc2058.txt- -- ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- Description ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- This Attribute is available to be sent by the server to the client ../data/rfc/rfc2058.txt- in an Access-Accept and should be sent unmodified by the client to ../data/rfc/rfc2058.txt: the accounting server as part of the Accounting-Request packet if ../data/rfc/rfc2058.txt: accounting is supported. No interpretation by the client should ../data/rfc/rfc2058.txt- be made. ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- -- ../data/rfc/rfc2058.txt- [8] Galvin, J., McCloghrie, K., and J. Davin, "SNMP Security ../data/rfc/rfc2058.txt- Protocols", RFC 1352, Trusted Information Systems, Inc., Hughes ../data/rfc/rfc2058.txt- LAN Systems, Inc., MIT Laboratory for Computer Science, July ../data/rfc/rfc2058.txt- 1992. ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt: [9] Rigney, C., "RADIUS Accounting", RFC 2059, January 1997. ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt-Acknowledgments ../data/rfc/rfc2058.txt- ../data/rfc/rfc2058.txt- RADIUS was originally developed by Livingston Enterprises for their ../data/rfc/rfc2058.txt- PortMaster series of Network Access Servers. -- ../data/rfc/rfc5920.txt- interworking, there is a good discussion on security for management ../data/rfc/rfc5920.txt- interfaces to Network Elements [OIF-Sec-Mag]. ../data/rfc/rfc5920.txt- ../data/rfc/rfc5920.txt- Network elements typically have one or more (in some cases many) ../data/rfc/rfc5920.txt- Operation and Management interfaces used for network management, ../data/rfc/rfc5920.txt: billing and accounting, configuration, maintenance, and other ../data/rfc/rfc5920.txt- administrative activities. ../data/rfc/rfc5920.txt- ../data/rfc/rfc5920.txt- Remote access to a network element through these Operation and ../data/rfc/rfc5920.txt- Management interfaces is frequently a requirement. Securing the ../data/rfc/rfc5920.txt- control protocols while leaving these Operation and Management -- ../data/rfc/rfc5380.txt- ../data/rfc/rfc5380.txt-RFC 5380 HMIPv6 October 2008 ../data/rfc/rfc5380.txt- ../data/rfc/rfc5380.txt- ../data/rfc/rfc5380.txt- Hence, EAP can be used with IKEv2 to leverage the Authentication, ../data/rfc/rfc5380.txt: Authorization, and Accounting (AAA) infrastructure to bootstrap the ../data/rfc/rfc5380.txt- SA between the mobile node and the MAP. Such a mechanism is useful ../data/rfc/rfc5380.txt- in scenarios where an administrator wishes to avoid the configuration ../data/rfc/rfc5380.txt- and management of certificates on mobile nodes. A MAP MAY support ../data/rfc/rfc5380.txt- the use of EAP over IKEv2. ../data/rfc/rfc5380.txt- -- ../data/rfc/rfc501.txt- Un-Muddling "Free File Transfer" ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- As the ARPA Network begin to mature, we find ourselves addressing ../data/rfc/rfc501.txt- issues and concepts deliberately put off and left untouched at ../data/rfc/rfc501.txt- earlier stages of Network development. Among the issues now coming ../data/rfc/rfc501.txt: to the fore are access control, user authentication, and accounting. ../data/rfc/rfc501.txt- These issues arise immediately out of efforts to develop uniform ../data/rfc/rfc501.txt- methods for providing limited "free" access to the File Transfer ../data/rfc/rfc501.txt- Servers of the host systems, to meet user needs for mail transmission ../data/rfc/rfc501.txt- and similar services. ../data/rfc/rfc501.txt- -- ../data/rfc/rfc501.txt- security, but on which the user has no access privileges". ../data/rfc/rfc501.txt- Unfortunately, beginning with the first paragraph of the RFC, the ../data/rfc/rfc501.txt- notions of access controls on files (examples of protection ../data/rfc/rfc501.txt- mechanisms), and control of access to the system (user ../data/rfc/rfc501.txt- authentication) are thoroughly muddled. In addition, he makes ../data/rfc/rfc501.txt: sweeping assumptions about the nature and use of accounting ../data/rfc/rfc501.txt- mechanisms and accounts at server sites. RFC 487 also has buried ../data/rfc/rfc501.txt- deep within it assumptions about the nature of the access control and ../data/rfc/rfc501.txt- user authentication aspects of File Transfer Server implementations. ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- What's needed at this juncture, of course, is a lucid discussion of -- ../data/rfc/rfc501.txt- the remainder of this RFC. What you will find is perhaps enough of a ../data/rfc/rfc501.txt- discussion to un-muddle that which RFC 487 has muddled; the rest will ../data/rfc/rfc501.txt- have to come down the pike at a later time. ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- In many systems, mechanisms which control access to the system, ../data/rfc/rfc501.txt: mechanism which control access to files, and accounting mechanisms ../data/rfc/rfc501.txt- all mesh at the moment at which a prospective user of the system is ../data/rfc/rfc501.txt- authenticated: the system has checked his user-name, password, ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- -- ../data/rfc/rfc501.txt- "Network services" account. Mechanisms for accomplishing this are ../data/rfc/rfc501.txt- presented in RFC 491. [3] ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- RFC 487 matter-of-factly suggests that retrieval of files in "system" ../data/rfc/rfc501.txt- directories should be charged to "overhead". Here too, some broad ../data/rfc/rfc501.txt: assumptions are made about the nature of accounting mechanisms and ../data/rfc/rfc501.txt- accounts at server sites. In addition, an undesirable loss of ../data/rfc/rfc501.txt- generality is imposed upon the File Transfer Server: It is now ../data/rfc/rfc501.txt- required to have the capability of distinguishing the pathnames of ../data/rfc/rfc501.txt- "system" files from those of "user" files. In a number of systems, ../data/rfc/rfc501.txt- there is no syntactic distinction between the two, and the same -- ../data/rfc/rfc501.txt- users. I don't think many people in the Network community would ../data/rfc/rfc501.txt- consider the actual (as opposed to charged) CPU time spent ../data/rfc/rfc501.txt- transferring a file to be negligible. Certainly, if a system is a ../data/rfc/rfc501.txt- very popular or busy one from a Network standpoint, the cumulative ../data/rfc/rfc501.txt- CPU time spent on "free" file transfers, viewed at the end of an ../data/rfc/rfc501.txt: accounting period (a week? a month? a year?) will not be negligible! ../data/rfc/rfc501.txt- ../data/rfc/rfc501.txt- In this RFC, I've picked apart Bob Bressler's RFC 487, mostly because ../data/rfc/rfc501.txt- of its confusion of several distinct (although related) issues, and ../data/rfc/rfc501.txt- the implementation assumptions it contains which conflict with (or ../data/rfc/rfc501.txt- badly bend out of shape) mechanisms and design philosophies existing -- ../data/rfc/rfc2900.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc2900.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc2900.txt-ATM-TC-OID Definitions of Textual Conventions and OBJECT- 2514 ../data/rfc/rfc2900.txt- IDENTITIES for ATM Management ../data/rfc/rfc2900.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc2900.txt: and Storage of Accounting Information for ../data/rfc/rfc2900.txt- Connection-Oriented Networks ../data/rfc/rfc2900.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc2900.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc2900.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc2900.txt- Management Protocols ../data/rfc/rfc2900.txt-IPCOM-PPP IP Header Compression over PPP 2509 ../data/rfc/rfc2900.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 -- ../data/rfc/rfc5351.txt- partially overlap with grid computing/high-performance ../data/rfc/rfc5351.txt- computing. However, the scope of both areas is completely ../data/rfc/rfc5351.txt- different: grid and high-performance computing also cover ../data/rfc/rfc5351.txt- topics like managing different administrative domains, data ../data/rfc/rfc5351.txt- locking and synchronization, inter-session communication, and ../data/rfc/rfc5351.txt: resource accounting for powerful computation services, but the ../data/rfc/rfc5351.txt- intention of RSerPool is simply a lightweight realization of ../data/rfc/rfc5351.txt- load distribution and session management. In particular, these ../data/rfc/rfc5351.txt- functionalities are intended to be used on ../data/rfc/rfc5351.txt- ../data/rfc/rfc5351.txt- -- ../data/rfc/rfc2998.txt- 2. Only a small number of hosts currently generate RSVP signaling. ../data/rfc/rfc2998.txt- While this number is expected to grow dramatically, many ../data/rfc/rfc2998.txt- applications may never generate RSVP signaling. ../data/rfc/rfc2998.txt- ../data/rfc/rfc2998.txt- 3. The necessary policy control mechanisms -- access control, ../data/rfc/rfc2998.txt: authentication, and accounting -- have only recently become ../data/rfc/rfc2998.txt- available [17]. ../data/rfc/rfc2998.txt- ../data/rfc/rfc2998.txt-1.3 Diffserv ../data/rfc/rfc2998.txt- ../data/rfc/rfc2998.txt- In contrast to the per-flow orientation of RSVP, Diffserv networks -- ../data/rfc/rfc4372.txt- Chargeable-User-Identity in order to demonstrate willingness to pay ../data/rfc/rfc4372.txt- or otherwise limit the potential for fraud. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- This implies that a unique identity provided by the home network ../data/rfc/rfc4372.txt- should be able to be conveyed to all parties involved in the roaming ../data/rfc/rfc4372.txt: transaction for correlating the authentication and accounting ../data/rfc/rfc4372.txt- packets. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- Providing a unique identity, Chargeable-User-Identity (CUI), to ../data/rfc/rfc4372.txt- intermediaries, is necessary to fulfill certain business needs. This ../data/rfc/rfc4372.txt- should not undermine the anonymity of the user. The mechanism -- ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- - On the use of RADIUS Class(25) attribute: ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- [RFC2865] states: "This Attribute is available to be sent by the ../data/rfc/rfc4372.txt- server to the client in an Access-Accept packet and SHOULD be sent ../data/rfc/rfc4372.txt: unmodified by the client to the accounting server as part of the ../data/rfc/rfc4372.txt: Accounting-Request packet if accounting is supported. The client ../data/rfc/rfc4372.txt- MUST NOT interpret the attribute locally." So RADIUS clients or ../data/rfc/rfc4372.txt- intermediaries MUST NOT interpret the Class(25) attribute, which ../data/rfc/rfc4372.txt- precludes determining whether it contains a CUI. Additionally, ../data/rfc/rfc4372.txt- there could be multiple class attributes in a RADIUS packet, and ../data/rfc/rfc4372.txt- since the contents of Class(25) attribute is not to be interpreted -- ../data/rfc/rfc4372.txt-RFC 4372 Chargeable User Identity January 2006 ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- included within an Access-Accept packet. The result is that when ../data/rfc/rfc4372.txt- a User-Name(1) attribute is sent in an Access-Accept packet, it is ../data/rfc/rfc4372.txt: possible that the Access-Request packet and Accounting-Request ../data/rfc/rfc4372.txt- packets will follow different paths. Where this outcome is ../data/rfc/rfc4372.txt- undesirable, the RADIUS client should use the original ../data/rfc/rfc4372.txt: User-Name(1) in accounting packets. Therefore, another mechanism ../data/rfc/rfc4372.txt- is required to convey a CUI within an Access-Accept packet to the ../data/rfc/rfc4372.txt: RADIUS client, so that the CUI can be included in the accounting ../data/rfc/rfc4372.txt- packets. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- The CUI attribute provides a solution to the above problems and ../data/rfc/rfc4372.txt- avoids overloading RADIUS User-Name(1) attribute or changing the ../data/rfc/rfc4372.txt- usage of existing RADIUS Class(25) attribute. The CUI therefore -- ../data/rfc/rfc4372.txt- document are to be interpreted as described in [RFC2119]. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- The following acronyms are used: ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- 3GPP - Third Generation Partnership Project ../data/rfc/rfc4372.txt: AAA - Authentication, Authorization, and Accounting ../data/rfc/rfc4372.txt- AKA - Authentication and Key Agreement ../data/rfc/rfc4372.txt- CUI - Chargeable-User-Identity ../data/rfc/rfc4372.txt- GSMA - GSM Association ../data/rfc/rfc4372.txt- IRAP - International Roaming Access Protocols Program ../data/rfc/rfc4372.txt- NAS - Network Access Server -- ../data/rfc/rfc4372.txt- a RADIUS client that requested the CUI attribute, then the ../data/rfc/rfc4372.txt- Access-Accept packet MAY be treated as an Access-Reject. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- If the CUI was included in an Access-Accept packet, RADIUS clients ../data/rfc/rfc4372.txt- supporting the CUI attribute MUST ensure that the CUI attribute ../data/rfc/rfc4372.txt: appears in the RADIUS Accounting-Request (Start, Interim, and Stop). ../data/rfc/rfc4372.txt- This requirement applies regardless of whether the RADIUS client ../data/rfc/rfc4372.txt- requested the CUI attribute. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- RFC 2865 includes the following statements about behaviors of RADIUS ../data/rfc/rfc4372.txt- client and server with respect to unsupported attributes: -- ../data/rfc/rfc4372.txt- initial authentication or during re-authentication. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- A NAS that requested the CUI during re-authentication by including ../data/rfc/rfc4372.txt- the CUI in the Access-Request will receive the CUI in the ../data/rfc/rfc4372.txt- Access-Accept. The NAS MUST include the value of that CUI in all ../data/rfc/rfc4372.txt: Accounting Messages. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt-2.2. CUI Attribute ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- A summary of the RADIUS CUI attribute is given below. ../data/rfc/rfc4372.txt- -- ../data/rfc/rfc4372.txt-3. Attribute Table ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- The following table provides a guide to which attribute(s) may be ../data/rfc/rfc4372.txt- found in which kinds of packets, and in what quantity. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt: Request Accept Reject Challenge Accounting # Attribute ../data/rfc/rfc4372.txt- Request ../data/rfc/rfc4372.txt- 0-1 0-1 0 0 0-1 89 Chargeable-User-Identity ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- Note: If the Access-Accept packet contains CUI, then the NAS MUST ../data/rfc/rfc4372.txt: include the CUI in Accounting Requests (Start, Interim, and Stop) ../data/rfc/rfc4372.txt- packets. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt-4. Diameter Consideration ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- Diameter needs to define an identical attribute with the same Type -- ../data/rfc/rfc4372.txt- The RADIUS entities (RADIUS proxies and clients) outside the home ../data/rfc/rfc4372.txt- network MUST NOT modify the CUI or insert a CUI in an Access-Accept. ../data/rfc/rfc4372.txt- However, there is no way to detect or prevent this. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- Attempting theft of service, a man-in-the-middle may try to insert, ../data/rfc/rfc4372.txt: modify, or remove the CUI in the Access-Accept packets and Accounting ../data/rfc/rfc4372.txt: packets. However, RADIUS Access-Accept and Accounting packets ../data/rfc/rfc4372.txt- already provide integrity protection. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- -- ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4372.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc4372.txt- RFC 2865, June 2000. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4372.txt- ../data/rfc/rfc4372.txt- [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, ../data/rfc/rfc4372.txt- "Diameter Network Access Server Application", RFC 4005, ../data/rfc/rfc4372.txt- August 2005. ../data/rfc/rfc4372.txt- -- ../data/rfc/rfc5749.txt- specific root key (DSUSRK) that has been derived from an Extended ../data/rfc/rfc5749.txt- Master Session Key (EMSK) hierarchy previously established between ../data/rfc/rfc5749.txt- the EAP server and an EAP peer. This document defines a template for ../data/rfc/rfc5749.txt- a key distribution exchange (KDE) protocol that can distribute these ../data/rfc/rfc5749.txt- different types of root keys using a AAA (Authentication, ../data/rfc/rfc5749.txt: Authorization, and Accounting) protocol and discusses its security ../data/rfc/rfc5749.txt- requirements. The described protocol template does not specify ../data/rfc/rfc5749.txt- message formats, data encoding, or other implementation details. It ../data/rfc/rfc5749.txt- thus needs to be instantiated with a specific protocol (e.g., RADIUS ../data/rfc/rfc5749.txt- or Diameter) before it can be used. ../data/rfc/rfc5749.txt- -- ../data/rfc/rfc5749.txt- document, a server delivering root keys is referred to as a Key ../data/rfc/rfc5749.txt- Delivering Server (KDS), and a server authorized to request and ../data/rfc/rfc5749.txt- receive root keys from a KDS is referred to as a Key Requesting ../data/rfc/rfc5749.txt- Server (KRS). The Key Distribution Exchange (KDE) mechanism defined ../data/rfc/rfc5749.txt- in this document runs over a AAA (Authentication, Authorization, and ../data/rfc/rfc5749.txt: Accounting) protocol, e.g., RADIUS ([RFC2865], [RFC3579]) or Diameter ../data/rfc/rfc5749.txt- [RFC3588], and has several variants depending on the type of key that ../data/rfc/rfc5749.txt- is requested and delivered (i.e., DRSK, USRK, or DSUSRK). The ../data/rfc/rfc5749.txt- ../data/rfc/rfc5749.txt- ../data/rfc/rfc5749.txt- -- ../data/rfc/rfc5749.txt- document are to be interpreted as described in [RFC2119]. ../data/rfc/rfc5749.txt- ../data/rfc/rfc5749.txt- The following acronyms are used. ../data/rfc/rfc5749.txt- ../data/rfc/rfc5749.txt- AAA ../data/rfc/rfc5749.txt: Authentication, Authorization and Accounting. AAA protocols with ../data/rfc/rfc5749.txt- EAP support include RADIUS ([RFC2865], [RFC3579]) and Diameter ../data/rfc/rfc5749.txt- [RFC3588]. ../data/rfc/rfc5749.txt- ../data/rfc/rfc5749.txt- USRK ../data/rfc/rfc5749.txt- Usage-Specific Root Key. A root key that is derived from the -- ../data/rfc/rfc960.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc960.txt- 150 Xerox NS IDP [129,LLG] ../data/rfc/rfc960.txt- 151 Unassigned [JBP] ../data/rfc/rfc960.txt- 152 PARC Universal Protocol [15,HGM] ../data/rfc/rfc960.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc960.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc960.txt- 155 Internet Protocol [regular] [39,92,JBP] ../data/rfc/rfc960.txt- 156-158 Internet Protocol [experimental] [39,92,JBP] ../data/rfc/rfc960.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc960.txt- 160-194 Unassigned [JBP] ../data/rfc/rfc960.txt- 195 ISO-IP [58,RXM] -- ../data/rfc/rfc5974.txt- Authorization: ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- The QoS NSLP must assure that the network is protected against ../data/rfc/rfc5974.txt- theft-of-service by offering mechanisms to authorize the QoS ../data/rfc/rfc5974.txt- reservation requester. A user requesting a QoS reservation might ../data/rfc/rfc5974.txt: want proper resource accounting and protection against spoofing ../data/rfc/rfc5974.txt- and other security vulnerabilities that lead to denial of service ../data/rfc/rfc5974.txt- and financial loss. In many cases, authorization is based on the ../data/rfc/rfc5974.txt- authenticated identity. The authorization solution must provide ../data/rfc/rfc5974.txt- guarantees that replay attacks are either not possible or limited ../data/rfc/rfc5974.txt- to a certain extent. Authorization can also be based on traits -- ../data/rfc/rfc5974.txt- .... Communication to the end host ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- Figure 16: New Jersey Turnpike Model ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- The model shown in Figure 16 uses peer-to-peer relationships between ../data/rfc/rfc5974.txt: different administrative domains as a basis for accounting and ../data/rfc/rfc5974.txt- charging. As mentioned above, based on the peering relationship, a ../data/rfc/rfc5974.txt- chain-of-trust is established. There are several issues that come to ../data/rfc/rfc5974.txt- mind when considering this type of model: ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- o The model allows authorization on a request basis or on a per- -- ../data/rfc/rfc5974.txt- exchanged between the different networks are then also subject to ../data/rfc/rfc5974.txt- authentication and authorization. However, the authenticated entity ../data/rfc/rfc5974.txt- is thereby the neighboring network and not the end host. ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- The New Jersey Turnpike model is attractive because of its ../data/rfc/rfc5974.txt: simplicity. S. Shenker, et al. [shenker] discuss various accounting ../data/rfc/rfc5974.txt- implications and introduced the edge pricing model. The edge pricing ../data/rfc/rfc5974.txt- model shows similarity to the model described in this section, with ../data/rfc/rfc5974.txt- the exception that mobility and the security implications are not ../data/rfc/rfc5974.txt- addressed. ../data/rfc/rfc5974.txt- -- ../data/rfc/rfc5974.txt- o bypassing_type: it defines if a QNE bypasses end-to-end messages ../data/rfc/rfc5974.txt- or not ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt-Appendix B. Glossary ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt: AAA: Authentication, Authorization, and Accounting ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- EAP: Extensible Authentication Protocol ../data/rfc/rfc5974.txt- ../data/rfc/rfc5974.txt- MRI: Message Routing Information (see [RFC5971]) ../data/rfc/rfc5974.txt- -- ../data/rfc/rfc189.txt- CAN (CANCEL) (a) On an output channel, CAN causes the rest of the ../data/rfc/rfc189.txt- output in the sysout data set currently being ../data/rfc/rfc189.txt- transmitted to be omitted. Alternatively, may ../data/rfc/rfc189.txt- omit the rest of the sysout data sets for the job ../data/rfc/rfc189.txt- currently being transmitted; however, the remain- ../data/rfc/rfc189.txt: ing system and accounting messages will be sent. ../data/rfc/rfc189.txt- ../data/rfc/rfc189.txt- ../data/rfc/rfc189.txt- ../data/rfc/rfc189.txt- ../data/rfc/rfc189.txt- -- ../data/rfc/rfc122.txt- ../data/rfc/rfc122.txt-I. Preface ../data/rfc/rfc122.txt- ../data/rfc/rfc122.txt- UCSB will provide file storage for Network users. UCSB's Simple ../data/rfc/rfc122.txt- Minded File System (SMFS) is addressed as socket number X'401', site ../data/rfc/rfc122.txt: 3. No accounting parameters are required. This document is intended ../data/rfc/rfc122.txt- to provide programmers with the information necessary to communicate ../data/rfc/rfc122.txt- with SMFS which conducts all Network transactions trough its NCP ../data/rfc/rfc122.txt- which operates under the Host-Host protocol of August 3, 1970.* ../data/rfc/rfc122.txt- ../data/rfc/rfc122.txt-II. Implementation -- ../data/rfc/rfc6677.txt- the current Extensible Authentication Protocol (EAP) architecture ../data/rfc/rfc6677.txt- [RFC3748] when used in pass-through authenticator mode. Here, a ../data/rfc/rfc6677.txt- Network Access Server (NAS), or pass-through authenticator, may ../data/rfc/rfc6677.txt- represent one set of information (e.g., network identity, ../data/rfc/rfc6677.txt- capabilities, configuration, etc) to the backend Authentication, ../data/rfc/rfc6677.txt: Authorization, and Accounting (AAA) infrastructure, while ../data/rfc/rfc6677.txt- representing contrary information to EAP peers. Another possibility ../data/rfc/rfc6677.txt- is that the same false information could be provided to both the EAP ../data/rfc/rfc6677.txt- peer and EAP server by the NAS. A "lying" entity can also be located ../data/rfc/rfc6677.txt- anywhere on the AAA path between the NAS and the EAP server. ../data/rfc/rfc6677.txt- -- ../data/rfc/rfc6677.txt- ../data/rfc/rfc6677.txt- A new RADIUS attribute is defined to carry information on which EAP ../data/rfc/rfc6677.txt- lower layer is used for this EAP authentication. This attribute ../data/rfc/rfc6677.txt- provides information relating to the lower layer over which EAP is ../data/rfc/rfc6677.txt- transported. This attribute MAY be sent by the NAS to the RADIUS ../data/rfc/rfc6677.txt: server in an Access-Request or an Accounting-Request packet. A ../data/rfc/rfc6677.txt- summary of the EAP-Lower-Layer attribute format is shown below. The ../data/rfc/rfc6677.txt- fields are transmitted from left to right. ../data/rfc/rfc6677.txt- ../data/rfc/rfc6677.txt- 0 1 2 3 ../data/rfc/rfc6677.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -- ../data/rfc/rfc4081.txt- given set of QoS parameters. ../data/rfc/rfc4081.txt- ../data/rfc/rfc4081.txt- In today's networks, non-repudiation is not provided. Therefore, it ../data/rfc/rfc4081.txt- might be difficult to introduce with NSIS signaling. The user has to ../data/rfc/rfc4081.txt- trust the network operator to meter the traffic correctly, to collect ../data/rfc/rfc4081.txt: and merge accounting data, and to ensure that no unforeseen problems ../data/rfc/rfc4081.txt- ../data/rfc/rfc4081.txt- ../data/rfc/rfc4081.txt- ../data/rfc/rfc4081.txt- ../data/rfc/rfc4081.txt- -- ../data/rfc/rfc4081.txt- Network elements within a domain (intra-domain) experience a ../data/rfc/rfc4081.txt- different trust relationship with regard to the security protection ../data/rfc/rfc4081.txt- of signaling messages from that of edge NSIS entities. It is assumed ../data/rfc/rfc4081.txt- that edge NSIS entities are responsible for performing cryptographic ../data/rfc/rfc4081.txt- processing (authentication, integrity and replay protection, ../data/rfc/rfc4081.txt: authorization, and accounting) for signaling messages arriving from ../data/rfc/rfc4081.txt- the outside. This prevents unprotected signaling messages from ../data/rfc/rfc4081.txt- appearing within the internal network. If, however, an adversary ../data/rfc/rfc4081.txt- manages to take over an edge router, then the security of the entire ../data/rfc/rfc4081.txt- network is compromised. An adversary is then able to launch a number ../data/rfc/rfc4081.txt- of attacks, including denial of service; integrity violations; replay -- ../data/rfc/rfc7015.txt- determined by the maximum active timeout. ../data/rfc/rfc7015.txt- ../data/rfc/rfc7015.txt- In certain circumstances, additional delay at the original Exporter ../data/rfc/rfc7015.txt- may cause an IAP to close an interval before the last Original ../data/rfc/rfc7015.txt- Flow(s) accountable to the interval arrives. In this case, the IAP ../data/rfc/rfc7015.txt: MAY drop the late Original Flow(s). Accounting of Flows lost at an ../data/rfc/rfc7015.txt- Intermediate Process due to such issues is covered in ../data/rfc/rfc7015.txt- [IPFIX-MED-PROTO]. ../data/rfc/rfc7015.txt- ../data/rfc/rfc7015.txt-6.3. Considerations for Aggregation of Sampled Flows ../data/rfc/rfc7015.txt- -- ../data/rfc/rfc7015.txt- described in Section 5.1.1, the Exporting Process MAY export an ../data/rfc/rfc7015.txt- Aggregate Counter Distribution Option Record for each Template ../data/rfc/rfc7015.txt- describing Aggregated Flow records; this Options Template is ../data/rfc/rfc7015.txt- described below. It uses the valueDistributionMethod Information ../data/rfc/rfc7015.txt- Element, also defined below. Since, in many cases, distribution is ../data/rfc/rfc7015.txt: simple, accounting the counters from Contributing Flows to the first ../data/rfc/rfc7015.txt- Interval to which they contribute, this is the default situation, for ../data/rfc/rfc7015.txt- which no Aggregate Counter Distribution Record is necessary; ../data/rfc/rfc7015.txt- Aggregate Counter Distribution Records are only applicable in more ../data/rfc/rfc7015.txt- exotic situations, such as using an Aggregation Interval smaller than ../data/rfc/rfc7015.txt- the durations of Original Flows. -- ../data/rfc/rfc5253.txt-9. Manageability Considerations ../data/rfc/rfc5253.txt- ../data/rfc/rfc5253.txt- Manageability considerations are described in [RFC4847]. In the ../data/rfc/rfc5253.txt- L1VPN Basic Mode, we rely on management systems for various aspects ../data/rfc/rfc5253.txt- of the different service functions, such as fault management, ../data/rfc/rfc5253.txt: configuration and policy management, accounting management, ../data/rfc/rfc5253.txt- performance management, and security management (as described in ../data/rfc/rfc5253.txt- Section 8). ../data/rfc/rfc5253.txt- ../data/rfc/rfc5253.txt- In order to support various management functionalities, MIB modules ../data/rfc/rfc5253.txt- need to be supported. In particular, the GMPLS TE MIB (GMPLS-TE-STD- -- ../data/rfc/rfc4665.txt- Standard interfaces to manage L2VPN services MUST be provided (e.g., ../data/rfc/rfc4665.txt- standard SNMP MIB Modules). These interfaces SHOULD provide access ../data/rfc/rfc4665.txt- to configuration, verification and runtime monitoring protocols. ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt- Service management MAY include the TMN 'FCAPS' functionalities, as ../data/rfc/rfc4665.txt: follows: Fault, Configuration, Accounting, Performance, and Security, ../data/rfc/rfc4665.txt- as detailed in [ITU_Y.1311.1]. ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt-5.12. Interoperability ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt- Multi-vendor interoperability, which corresponds to similar network -- ../data/rfc/rfc4665.txt- standards-based interfaces (e.g., L2VPN MIB Modules), wherever ../data/rfc/rfc4665.txt- feasible. ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt- The details of service provider management requirements for a Network ../data/rfc/rfc4665.txt- Management System (NMS) in the traditional fault, configuration, ../data/rfc/rfc4665.txt: accounting, performance, and security (FCAPS) management categories ../data/rfc/rfc4665.txt- can be found in [ITU_Y.1311.1]. ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt-9. Engineering Requirements ../data/rfc/rfc4665.txt- ../data/rfc/rfc4665.txt- These requirements are driven by implementation characteristics that -- ../data/rfc/rfc7156.txt- statement for PMIPv6 localized routing. Based on the scenarios A11, ../data/rfc/rfc7156.txt- A12, and A21 described in [RFC6279], [RFC6705] specifies the PMIPv6 ../data/rfc/rfc7156.txt- localized routing protocol that is used to establish a localized ../data/rfc/rfc7156.txt- routing path between two Mobile Access Gateways in a PMIPv6 domain. ../data/rfc/rfc7156.txt- ../data/rfc/rfc7156.txt: This document describes Authentication, Authorization, and Accounting ../data/rfc/rfc7156.txt- (AAA) support using Diameter [RFC6733] for the authorization ../data/rfc/rfc7156.txt- procedure between the PMIPv6 mobility entities (MAG or LMA) and a AAA ../data/rfc/rfc7156.txt- server within a Proxy Mobile IPv6 domain for localized routing in the ../data/rfc/rfc7156.txt- scenarios A11, A12, and A21 described in [RFC6279]. ../data/rfc/rfc7156.txt- -- ../data/rfc/rfc6235.txt- +-----------------------+----------------------------+ ../data/rfc/rfc6235.txt- ../data/rfc/rfc6235.txt-4.3.1. Precision Degradation ../data/rfc/rfc6235.txt- ../data/rfc/rfc6235.txt- Precision Degradation is a generalization technique that removes the ../data/rfc/rfc6235.txt: most precise components of a timestamp, accounting for all events ../data/rfc/rfc6235.txt- occurring in each given interval (e.g., one millisecond for ../data/rfc/rfc6235.txt- millisecond level degradation) as simultaneous. This has the effect ../data/rfc/rfc6235.txt- of potentially collapsing many timestamps into one. With this ../data/rfc/rfc6235.txt- technique, time precision is reduced and sequencing may be lost, but ../data/rfc/rfc6235.txt- the information regarding at which time the event occurred is -- ../data/rfc/rfc5692.txt- specified in Section 7.1.1. ../data/rfc/rfc5692.txt- ../data/rfc/rfc5692.txt-8. Public Access Recommendations ../data/rfc/rfc5692.txt- ../data/rfc/rfc5692.txt- In the public access scenario, direct communication between nodes is ../data/rfc/rfc5692.txt: restricted because of security and accounting issues. Figure 4 ../data/rfc/rfc5692.txt- depicts the public access scenario. ../data/rfc/rfc5692.txt- ../data/rfc/rfc5692.txt- In this scenario, the AR is connected to a network-side bridge. The ../data/rfc/rfc5692.txt: AR MAY perform security filtering, policing, and accounting of all ../data/rfc/rfc5692.txt- traffic from hosts, e.g., like an NAS (Network Access Server). ../data/rfc/rfc5692.txt- ../data/rfc/rfc5692.txt- If the AR functions as the NAS, all the traffic from SSs SHOULD be ../data/rfc/rfc5692.txt- forwarded to the AR, not bridged at the network-side bridging ../data/rfc/rfc5692.txt- function -- even in the case of traffic between SSs served by the -- ../data/rfc/rfc6421.txt- implementations, crypto-agility may be better defined as the ability ../data/rfc/rfc6421.txt- of RADIUS implementations to automatically negotiate cryptographic ../data/rfc/rfc6421.txt- algorithms for use in RADIUS exchanges, including the algorithms used ../data/rfc/rfc6421.txt- to integrity protect and authenticate RADIUS packets and to hide ../data/rfc/rfc6421.txt- RADIUS attributes. This capability covers all RADIUS message types: ../data/rfc/rfc6421.txt: Access-Request/Response, Accounting-Request/Response, CoA/Disconnect- ../data/rfc/rfc6421.txt- Request/Response, and Status-Server. Negotiation of cryptographic ../data/rfc/rfc6421.txt- algorithms MAY occur within the RADIUS protocol, or within a lower ../data/rfc/rfc6421.txt- layer such as the transport layer. ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- Proposals MUST NOT introduce generic new capability negotiation -- ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt-4.5. Scope of Work ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- Crypto-agility solutions MUST apply to all RADIUS packet types, ../data/rfc/rfc6421.txt- including Access-Request, Access-Challenge, Access-Reject, ../data/rfc/rfc6421.txt: Access-Accept, Accounting-Request, Accounting-Response, Status-Server ../data/rfc/rfc6421.txt- and CoA/Disconnect messages. ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- Since it is expected that the work will occur purely within RADIUS or ../data/rfc/rfc6421.txt- in the transport, message data exchanged with Diameter SHOULD NOT be ../data/rfc/rfc6421.txt- affected. -- ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic ../data/rfc/rfc6421.txt- Key Management", BCP 107, RFC 4107, June 2005. ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6421.txt: Authorization, and Accounting (AAA) Key Management", BCP ../data/rfc/rfc6421.txt- 132, RFC 4962, July 2007. ../data/rfc/rfc6421.txt- ../data/rfc/rfc6421.txt- [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations ../data/rfc/rfc6421.txt- for the MD5 Message-Digest and the HMAC-MD5 Algorithms", ../data/rfc/rfc6421.txt- RFC 6151, March 2011. -- ../data/rfc/rfc7713.txt- flow or degrades over time, and what defines the end of the ../data/rfc/rfc7713.txt- duration of a flow; ../data/rfc/rfc7713.txt- ../data/rfc/rfc7713.txt- E. a specification for signal units (bytes vs. packets, etc.), ../data/rfc/rfc7713.txt- any approximations allowed, and the algorithms to do any ../data/rfc/rfc7713.txt: implied conversions or accounting; ../data/rfc/rfc7713.txt- ../data/rfc/rfc7713.txt- F. if the units are bytes, a definition of which headers are ../data/rfc/rfc7713.txt- included in the size of the packet; ../data/rfc/rfc7713.txt- ../data/rfc/rfc7713.txt- G. how tunnels should propagate the ConEx encoding; -- ../data/rfc/rfc2700.txt--------- PPP Bridging Control Protocol (BCP) 2878* ../data/rfc/rfc2700.txt--------- Diffie-Hellman Proof-of-Possession Algorithms 2875* ../data/rfc/rfc2700.txt--------- DNS Extensions to Support IPv6 Address Aggregation 2874* ../data/rfc/rfc2700.txt- and Renumbering ../data/rfc/rfc2700.txt--------- TCP Processing of the IPv4 Precedence Field 2873* ../data/rfc/rfc2700.txt:RADIUS RADIUS Accounting Modifications for Tunnel Protocol 2867* ../data/rfc/rfc2700.txt- Support ../data/rfc/rfc2700.txt--------- The Inverted Stack Table Extension to the Interfaces 2864* ../data/rfc/rfc2700.txt- Group MIB ../data/rfc/rfc2700.txt--------- RTP Payload Format for Real-Time Pointers 2862* ../data/rfc/rfc2700.txt-MEXT-BGP4 Multiprotocol Extensions for BGP-4 2858* -- ../data/rfc/rfc2700.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc2700.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc2700.txt-ATM-TC-OID Definitions of Textual Conventions and OBJECT- 2514 ../data/rfc/rfc2700.txt- IDENTITIES for ATM Management ../data/rfc/rfc2700.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc2700.txt: and Storage of Accounting Information for ../data/rfc/rfc2700.txt- Connection-Oriented Networks ../data/rfc/rfc2700.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc2700.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc2700.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc2700.txt- Management Protocols ../data/rfc/rfc2700.txt-IPCOM-PPP IP Header Compression over PPP 2509 ../data/rfc/rfc2700.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 -- ../data/rfc/rfc399.txt-referencing a file. The user name and account number specified ../data/rfc/rfc399.txt-remain in effect until another LGI command is issued, a LGO ../data/rfc/rfc399.txt-command is issued, or the connection is closed. ../data/rfc/rfc399.txt- ../data/rfc/rfc399.txt- At present, the use of SMFS is not billed, and therefore ../data/rfc/rfc399.txt:use of the accounting commands is optional. It is requested, ../data/rfc/rfc399.txt-however, that users and user processes begin to use this command ../data/rfc/rfc399.txt-as soon as possible, since we would like to collect statistics on ../data/rfc/rfc399.txt-SMFS utilization before implementing billing. Therefore, at ../data/rfc/rfc399.txt-present the user name can be any name that identfies the user, ../data/rfc/rfc399.txt-and the account number is completely arbitrary. -- ../data/rfc/rfc399.txt-filenames. ../data/rfc/rfc399.txt- ../data/rfc/rfc399.txt- ../data/rfc/rfc399.txt- Logout (LGO) ../data/rfc/rfc399.txt- The logout command terminates the association between the ../data/rfc/rfc399.txt:user and the accounting information specified in the last LGI ../data/rfc/rfc399.txt-command issued, if any; it does not cause SMFS to close the ../data/rfc/rfc399.txt-connection. The user should then issue another LGI command ../data/rfc/rfc399.txt-before attempting any operation referencing a file. It is not ../data/rfc/rfc399.txt-necessary to issue a LGO command before issuing another LGI ../data/rfc/rfc399.txt-command, or before closing the connection. -- ../data/rfc/rfc5320.txt- 3. Applicability Statement .........................................7 ../data/rfc/rfc5320.txt- 4. SEAL Protocol Specification - Tunnel Mode .......................8 ../data/rfc/rfc5320.txt- 4.1. Model of Operation .........................................8 ../data/rfc/rfc5320.txt- 4.2. ITE Specification .........................................10 ../data/rfc/rfc5320.txt- 4.2.1. Tunnel Interface MTU ...............................10 ../data/rfc/rfc5320.txt: 4.2.2. Accounting for Headers .............................11 ../data/rfc/rfc5320.txt- 4.2.3. Segmentation and Encapsulation .....................12 ../data/rfc/rfc5320.txt- 4.2.4. Sending Probes .....................................14 ../data/rfc/rfc5320.txt- 4.2.5. Packet Identification ..............................15 ../data/rfc/rfc5320.txt- 4.2.6. Sending SEAL Protocol Packets ......................15 ../data/rfc/rfc5320.txt- 4.2.7. Processing Raw ICMPv4 Messages .....................15 -- ../data/rfc/rfc5320.txt- independent packet. For all other inner packets (IPv4 or IPv6), the ../data/rfc/rfc5320.txt- ITE admits the packet if it is no larger than the tunnel interface ../data/rfc/rfc5320.txt- MTU; otherwise, it drops the packet and sends an ICMP PTB message ../data/rfc/rfc5320.txt- with an MTU value of the tunnel interface MTU to the source. ../data/rfc/rfc5320.txt- ../data/rfc/rfc5320.txt:4.2.2. Accounting for Headers ../data/rfc/rfc5320.txt- ../data/rfc/rfc5320.txt- As for any transport layer protocol, ITEs use the MTU of the ../data/rfc/rfc5320.txt- underlying IPv4 interface, the length of any mid-layer '*' headers ../data/rfc/rfc5320.txt- and trailers, and the length of the outer SEAL/*/IPv4 headers to ../data/rfc/rfc5320.txt- determine the maximum size for a SEAL segment (see Section 4.2.3). -- ../data/rfc/rfc3752.txt- them. Examples include: ../data/rfc/rfc3752.txt- ../data/rfc/rfc3752.txt- o Logging/Monitoring: Each response may be examined and recorded for ../data/rfc/rfc3752.txt- monitoring or debugging purposes. ../data/rfc/rfc3752.txt- ../data/rfc/rfc3752.txt: o Accounting: An OPES processor may record the usage data (time and ../data/rfc/rfc3752.txt- space) of each service request for billing purposes. ../data/rfc/rfc3752.txt- ../data/rfc/rfc3752.txt-2.3. Services creating responses ../data/rfc/rfc3752.txt- ../data/rfc/rfc3752.txt- Services creating responses may include OPES services that -- ../data/rfc/rfc4949.txt- subsequent investigation of security breaches. Individual persons ../data/rfc/rfc4949.txt- who are system users are held accountable for their actions after ../data/rfc/rfc4949.txt- being notified of the rules of behavior for using the system and ../data/rfc/rfc4949.txt- the penalties associated with violating those rules. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt: $ accounting See: COMSEC accounting. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt: $ accounting legend code (ALC) ../data/rfc/rfc4949.txt- (O) /U.S. Government/ Numeric system used to indicate the minimum ../data/rfc/rfc4949.txt: accounting controls required for items of COMSEC material within ../data/rfc/rfc4949.txt: the CMCS. [C4009] (See: COMSEC accounting.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ accreditation ../data/rfc/rfc4949.txt- (N) An administrative action by which a designated authority ../data/rfc/rfc4949.txt- declares that an information system is approved to operate in a ../data/rfc/rfc4949.txt- particular security configuration with a prescribed set of -- ../data/rfc/rfc4949.txt- room. If A and B operate in different security domains, then ../data/rfc/rfc4949.txt- moving data across the air gap may involve an upgrade or downgrade ../data/rfc/rfc4949.txt- operation. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ ALC ../data/rfc/rfc4949.txt: (O) See: accounting legend code. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- -- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- Information Security Foundation chartered by the U.S. Government) ../data/rfc/rfc4949.txt- have not been implemented at all, and others (e.g., codifying ../data/rfc/rfc4949.txt- Generally Accepted System Security Principles similar to ../data/rfc/rfc4949.txt: accounting principles) have been implemented but not widely ../data/rfc/rfc4949.txt- adopted [SP14, SP27]. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ COMSEC ../data/rfc/rfc4949.txt- (I) See: communication security. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ COMSEC account ../data/rfc/rfc4949.txt- (O) /U.S. Government/ "Administrative entity, identified by an ../data/rfc/rfc4949.txt- account number, used to maintain accountability, custody, and ../data/rfc/rfc4949.txt- control of COMSEC material." [C4009] (See: COMSEC custodian.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt: $ COMSEC accounting ../data/rfc/rfc4949.txt- (O) /U.S. Government/ The process of creating, collecting, and ../data/rfc/rfc4949.txt- maintaining data records that describe the status and custody of ../data/rfc/rfc4949.txt: designated items of COMSEC material. (See: accounting legend ../data/rfc/rfc4949.txt- code.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- Tutorial: Almost any secure information system needs to record a ../data/rfc/rfc4949.txt- security audit trail, but a system that manages COMSEC material ../data/rfc/rfc4949.txt- needs to record additional data about the status and custody of -- ../data/rfc/rfc4949.txt- key generation and key handling and storage." [C4009] (Compare: ../data/rfc/rfc4949.txt- cryptographic boundary.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ COMSEC custodian ../data/rfc/rfc4949.txt- (O) /U.S. Government/ "Individual designated by proper authority ../data/rfc/rfc4949.txt: to be responsible for the receipt, transfer, accounting, ../data/rfc/rfc4949.txt- safeguarding, and destruction of COMSEC material assigned to a ../data/rfc/rfc4949.txt- COMSEC account." [C4009] ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ COMSEC material ../data/rfc/rfc4949.txt- (N) /U.S. Government/ Items designed to secure or authenticate -- ../data/rfc/rfc4949.txt- and software that embodies or describes cryptographic logic; and ../data/rfc/rfc4949.txt- other items that perform COMSEC functions. [C4009] (Compare: ../data/rfc/rfc4949.txt- keying material.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ COMSEC Material Control System (CMCS) ../data/rfc/rfc4949.txt: (O) /U.S. Government/ "Logistics and accounting system through ../data/rfc/rfc4949.txt- which COMSEC material marked 'CRYPTO' is distributed, controlled, ../data/rfc/rfc4949.txt- and safeguarded." [C4009] (See: COMSEC account, COMSEC custodian.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ confidentiality ../data/rfc/rfc4949.txt- See: data confidentiality. -- ../data/rfc/rfc4949.txt- of that process. (See: key distribution, key escrow, keying ../data/rfc/rfc4949.txt- material, public-key infrastructure.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- Usage: Usually understood to include ordering, generating, ../data/rfc/rfc4949.txt- storing, archiving, escrowing, distributing, loading, destroying, ../data/rfc/rfc4949.txt: auditing, and accounting for the material. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- 1b. (O) /NIST/ "The activities involving the handling of ../data/rfc/rfc4949.txt- cryptographic keys and other related security parameters (e.g., ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- -- ../data/rfc/rfc4949.txt- (I) An independent review and examination of a system's records ../data/rfc/rfc4949.txt- and activities to determine the adequacy of system controls, ../data/rfc/rfc4949.txt- ensure compliance with established security policy and procedures, ../data/rfc/rfc4949.txt- detect breaches in security services, and recommend any changes ../data/rfc/rfc4949.txt- that are indicated for countermeasures. [I7498-2, NCS01] (Compare: ../data/rfc/rfc4949.txt: accounting, intrusion detection.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- Tutorial: The basic audit objective is to establish accountability ../data/rfc/rfc4949.txt- for system entities that initiate or participate in security- ../data/rfc/rfc4949.txt- relevant events and actions. Thus, means are needed to generate ../data/rfc/rfc4949.txt- and record a security audit trail and to review and analyze the -- ../data/rfc/rfc4949.txt- emanation. Compare: SCIF.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ short title ../data/rfc/rfc4949.txt- (O) "Identifying combination of letters and numbers assigned to ../data/rfc/rfc4949.txt- certain items of COMSEC material to facilitate handling, ../data/rfc/rfc4949.txt: accounting, and controlling." [C4009] (Compare: KMID, long title.) ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt-Shirey Informational [Page 281] ../data/rfc/rfc4949.txt- -- ../data/rfc/rfc4949.txt- $ TACACS ../data/rfc/rfc4949.txt- (I) See: Terminal Access Controller (TAC) Access Control System. ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- $ TACACS+ ../data/rfc/rfc4949.txt- (I) A TCP-based protocol that improves on TACACS by separating the ../data/rfc/rfc4949.txt: functions of authentication, authorization, and accounting and by ../data/rfc/rfc4949.txt- encrypting all traffic between the network access server and ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt- ../data/rfc/rfc4949.txt-Shirey Informational [Page 300] -- ../data/rfc/rfc3871.txt-RFC 3871 Operational Security Requirements September 2004 ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- 2.11.10. Logs Contain Records Of Security Events . . . . 54 ../data/rfc/rfc3871.txt- 2.11.11. Logs Do Not Contain Passwords . . . . . . . . . 55 ../data/rfc/rfc3871.txt: 2.12. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc3871.txt- Requirements . . . . . . . . . . . . . . . . . . . . . . 55 ../data/rfc/rfc3871.txt- 2.12.1. Authenticate All User Access. . . . . . . . . . 55 ../data/rfc/rfc3871.txt- 2.12.2. Support Authentication of Individual Users. . . 56 ../data/rfc/rfc3871.txt- 2.12.3. Support Simultaneous Connections. . . . . . . . 56 ../data/rfc/rfc3871.txt- 2.12.4. Ability to Disable All Local Accounts . . . . . 57 -- ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- This information is necessary to enable a thorough assessment of ../data/rfc/rfc3871.txt- the security risks associated with the operation of the device ../data/rfc/rfc3871.txt- (e.g., "does this protocol allow complete management of the device ../data/rfc/rfc3871.txt- without also requiring authentication, authorization, or ../data/rfc/rfc3871.txt: accounting?"). The information also assists in determining what ../data/rfc/rfc3871.txt- steps should be taken to mitigate risk (e.g., "should I turn this ../data/rfc/rfc3871.txt- service off ?") ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- -- ../data/rfc/rfc3871.txt- records of successful or failed authentication attempts. ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- Justification. ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- Access control and authorization requirements differ for ../data/rfc/rfc3871.txt: accounting records (logs) and authorization databases (passwords). ../data/rfc/rfc3871.txt- Logging passwords may grant unauthorized access to individuals ../data/rfc/rfc3871.txt- with access to the logs. Logging failed passwords may give hints ../data/rfc/rfc3871.txt- about actual passwords. See section 4.5.4.4 of [RFC2196]. ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- Examples. -- ../data/rfc/rfc3871.txt- Warnings. ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- There may be situations where it is appropriate/required to log ../data/rfc/rfc3871.txt- passwords. ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt:2.12. Authentication, Authorization, and Accounting (AAA) Requirements ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt-2.12.1. Authenticate All User Access ../data/rfc/rfc3871.txt- ../data/rfc/rfc3871.txt- Requirement. ../data/rfc/rfc3871.txt- -- ../data/rfc/rfc1380.txt- ../data/rfc/rfc1380.txt-RFC 1380 ROAD November 1992 ../data/rfc/rfc1380.txt- ../data/rfc/rfc1380.txt- ../data/rfc/rfc1380.txt- emerging internet problems such as security/authentication, mobility, ../data/rfc/rfc1380.txt: resource allocation, accounting, high packet rates, etc. ../data/rfc/rfc1380.txt- ../data/rfc/rfc1380.txt-Appendix C. BIBLIOGRAPHY ../data/rfc/rfc1380.txt- ../data/rfc/rfc1380.txt--Documents and Information from IETF/IESG: ../data/rfc/rfc1380.txt- -- ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt- Cisco Systems' NetFlow services provide network administrators with ../data/rfc/rfc3954.txt- access to IP flow information from their data networks. Network ../data/rfc/rfc3954.txt- elements (routers and switches) gather flow data and export it to ../data/rfc/rfc3954.txt- collectors. The collected data provides fine-grained metering for ../data/rfc/rfc3954.txt: highly flexible and detailed resource usage accounting. ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt- A flow is defined as a unidirectional sequence of packets with some ../data/rfc/rfc3954.txt- common properties that pass through a network device. These ../data/rfc/rfc3954.txt- collected flows are exported to an external device, the NetFlow ../data/rfc/rfc3954.txt- collector. Network flows are highly granular; for example, flow ../data/rfc/rfc3954.txt- records include details such as IP addresses, packet and byte counts, ../data/rfc/rfc3954.txt- timestamps, Type of Service (ToS), application ports, input and ../data/rfc/rfc3954.txt- output interfaces, etc. ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt- Exported NetFlow data is used for a variety of purposes, including ../data/rfc/rfc3954.txt: enterprise accounting and departmental chargebacks, ISP billing, data ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt-Claise Informational [Page 2] ../data/rfc/rfc3954.txt- -- ../data/rfc/rfc3954.txt- activities, whilst a Flow Record only containing the source and ../data/rfc/rfc3954.txt- destination IP network would be less revealing. ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt-10.2. Forgery of Flow Records or Template Records ../data/rfc/rfc3954.txt- ../data/rfc/rfc3954.txt: If Flow Records are used in accounting and/or security applications, ../data/rfc/rfc3954.txt- there may be a strong incentive to forge exported Flow Records (for ../data/rfc/rfc3954.txt- example to defraud the service provider, or to prevent the detection ../data/rfc/rfc3954.txt- of an attack). This can be done either by altering the Flow Records ../data/rfc/rfc3954.txt- on the path between the Observer and the Collector, or by injecting ../data/rfc/rfc3954.txt- forged Flow Records that pretend to be originated by the Exporter. -- ../data/rfc/rfc3053.txt- ../data/rfc/rfc3053.txt- The client of the Tunnel Broker service is a dual-stack IPv6 node ../data/rfc/rfc3053.txt- (host or router) connected to the IPv4 Internet. Approaching the TB, ../data/rfc/rfc3053.txt- the client should be asked first of all to provide its identity and ../data/rfc/rfc3053.txt- credentials so that proper user authentication, authorization and ../data/rfc/rfc3053.txt: (optionally) accounting can be carried out (e.g., relying on existing ../data/rfc/rfc3053.txt- AAA facilities such as RADIUS). This means that the client and the ../data/rfc/rfc3053.txt- TB have to share a pre-configured or automatically established ../data/rfc/rfc3053.txt- security association to be used to prevent unauthorized use of the ../data/rfc/rfc3053.txt- service. With this respect the TB can be seen as an access-control ../data/rfc/rfc3053.txt- server for IPv4 interconnected IPv6 users. -- ../data/rfc/rfc3053.txt- (e.g. broker.isp-name.com). ../data/rfc/rfc3053.txt- ../data/rfc/rfc3053.txt-2.7 Open issues ../data/rfc/rfc3053.txt- ../data/rfc/rfc3053.txt- Real usage of the TB service may require the introduction of ../data/rfc/rfc3053.txt: accounting/billing functions. ../data/rfc/rfc3053.txt- ../data/rfc/rfc3053.txt-3. Known limitations ../data/rfc/rfc3053.txt- ../data/rfc/rfc3053.txt- This mechanism may not work if the user is using private IPv4 ../data/rfc/rfc3053.txt- addresses behind a NAT box. -- ../data/rfc/rfc4120.txt- Encryption for Authentication in Large Networks of ../data/rfc/rfc4120.txt- Computers," Communications of the ACM, Vol. 21 ../data/rfc/rfc4120.txt- (12), pp. 993-999, December 1978. ../data/rfc/rfc4120.txt- ../data/rfc/rfc4120.txt- [Neu93] B. Clifford Neuman, "Proxy-Based Authorization and ../data/rfc/rfc4120.txt: Accounting for Distributed Systems," in ../data/rfc/rfc4120.txt- Proceedings of the 13th International Conference ../data/rfc/rfc4120.txt- on Distributed Computing Systems, Pittsburgh, PA, ../data/rfc/rfc4120.txt- May 1993. ../data/rfc/rfc4120.txt- ../data/rfc/rfc4120.txt- -- ../data/rfc/rfc615.txt-I believe that any modifications to the syntax will be graceful ../data/rfc/rfc615.txt-additions, rather than wholesale redesign, and thus can be deferred for a ../data/rfc/rfc615.txt-while. Currently, any undefined attributes must be specified in a ../data/rfc/rfc615.txt-Siteparm field: ../data/rfc/rfc615.txt- ../data/rfc/rfc615.txt:Perhaps Version, Access protection and Accounting, as well as other types ../data/rfc/rfc615.txt-of information, should be made standard <key>s, rather than buried as ../data/rfc/rfc615.txt-Siteparms. I expect that the next version of the NSDP Syntax ../data/rfc/rfc615.txt-specification will include them as <key>s, but I would like to wait for ../data/rfc/rfc615.txt-some comments from the community. ../data/rfc/rfc615.txt- -- ../data/rfc/rfc2680.txt- ../data/rfc/rfc2680.txt- ../data/rfc/rfc2680.txt-2.7. Errors and Uncertainties: ../data/rfc/rfc2680.txt- ../data/rfc/rfc2680.txt- The description of any specific measurement method should include an ../data/rfc/rfc2680.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc2680.txt- The Framework document provides general guidance on this point. ../data/rfc/rfc2680.txt- ../data/rfc/rfc2680.txt- For loss, there are three sources of error: ../data/rfc/rfc2680.txt- ../data/rfc/rfc2680.txt- + Synchronization between clocks on Src and Dst. -- ../data/rfc/rfc4139.txt- ../data/rfc/rfc4139.txt- Management Plane: Performs management functions for the Transport ../data/rfc/rfc4139.txt- Plane, the control plane, and the system as a whole. It also ../data/rfc/rfc4139.txt- provides coordination between all the planes. The following ../data/rfc/rfc4139.txt- management functional areas are performed in the management plane: ../data/rfc/rfc4139.txt: performance, fault, configuration, accounting, and security ../data/rfc/rfc4139.txt- management. ../data/rfc/rfc4139.txt- ../data/rfc/rfc4139.txt- Management Domain: See Recommendation G.805 [ITU-T-G.805]. ../data/rfc/rfc4139.txt- ../data/rfc/rfc4139.txt- Transport Plane: Provides bi-directional or unidirectional transfer -- ../data/rfc/rfc1346.txt-Network Working Group P. Jones ../data/rfc/rfc1346.txt-Request for Comments: 1346 Joint Network Team, UK ../data/rfc/rfc1346.txt- June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt: Resource Allocation, Control, and Accounting ../data/rfc/rfc1346.txt- for the Use of Network Resources ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Status of this Memo ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- This memo provides information for the Internet community. It does -- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Jones [Page 1] ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt:RFC 1346 Resource Allocation, Control, and Accounting June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- Often the situation can appear worse than having to survive in a ../data/rfc/rfc1346.txt- jungle, in the sense that the strong (even if "good") seem to have ../data/rfc/rfc1346.txt- little advantage over the weak. It may seem that it is the -- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Jones [Page 2] ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt:RFC 1346 Resource Allocation, Control, and Accounting June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- (d) It may be Network Manager A has a link that Network Manager B ../data/rfc/rfc1346.txt- would like to use on occasion, perhaps as back-up on access to a ../data/rfc/rfc1346.txt- third network. Network Manager A might well wish to be -- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Jones [Page 3] ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt:RFC 1346 Resource Allocation, Control, and Accounting June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- Time is an important factor. Network resources, like computer ../data/rfc/rfc1346.txt- processor time and unlike filestore, vanish if they are not used. ../data/rfc/rfc1346.txt- People will in general prefer resources during prime shift to those -- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Jones [Page 4] ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt:RFC 1346 Resource Allocation, Control, and Accounting June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- the choices are if any), is not clear. ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- 2.3 Following from that, it is then not clear whether what is -- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Jones [Page 5] ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt:RFC 1346 Resource Allocation, Control, and Accounting June 1992 ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt-Security Considerations ../data/rfc/rfc1346.txt- ../data/rfc/rfc1346.txt- Security issues are not discussed in this memo. -- ../data/rfc/rfc2477.txt-Aboba & Zorn Informational [Page 2] ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-RFC 2477 Evaluating Roaming Protocols January 1999 ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: Accounting server ../data/rfc/rfc2477.txt: This is a server which provides for accounting within the roaming ../data/rfc/rfc2477.txt- architecture. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- Authentication proxy ../data/rfc/rfc2477.txt- Authentication proxies may be deployed within the roaming ../data/rfc/rfc2477.txt- architecture for several purposes, including authentication ../data/rfc/rfc2477.txt- forwarding, policy implementation, shared secret management, and ../data/rfc/rfc2477.txt- attribute editing. To the NAS, the authentication proxy appears ../data/rfc/rfc2477.txt- to act as an authentication server; to the authentication server, ../data/rfc/rfc2477.txt- the proxy appears to act as an authentication client. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: Accounting proxy ../data/rfc/rfc2477.txt: Accounting proxies may be deployed within the roaming architecture ../data/rfc/rfc2477.txt: for several purposes, including accounting forwarding, reliability ../data/rfc/rfc2477.txt- improvement, auditing, and "pseudo-transactional" capability. To ../data/rfc/rfc2477.txt: the NAS, the accounting proxy appears to act as an accounting ../data/rfc/rfc2477.txt: server; to the accounting server, the proxy appears to act as an ../data/rfc/rfc2477.txt: accounting client. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- Network Access Identifier ../data/rfc/rfc2477.txt- In order to provide for the routing of authentication and ../data/rfc/rfc2477.txt: accounting packets, user name MAY contain structure. This ../data/rfc/rfc2477.txt- structure provides a means by which the authentication or ../data/rfc/rfc2477.txt: accounting proxies will locate the authentication or accounting ../data/rfc/rfc2477.txt- server that is to receive the request. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-3. Architectural framework ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- The roaming architecture consists of three major subsystems: ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- Phone book Subsystem ../data/rfc/rfc2477.txt- Authentication Subsystem ../data/rfc/rfc2477.txt: Accounting Subsystem ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- The phone book subsystem is concerned with the maintenance and ../data/rfc/rfc2477.txt- updating of the user phone book. The phone book provides the user ../data/rfc/rfc2477.txt- with information on the location and phone numbers of Points of ../data/rfc/rfc2477.txt- Presence (POPs) that are roaming enabled. The function of the ../data/rfc/rfc2477.txt- authentication subsystem is to provide authorized users with access ../data/rfc/rfc2477.txt- to the POPs in the phonebook, and to deny access to unauthorized ../data/rfc/rfc2477.txt: users. The goal of the accounting subsystem is to provide ../data/rfc/rfc2477.txt- information on the resources utilized during the user's session. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-3.1. Phone Book Subsystem ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- The phone book subsystem provides for the following: -- ../data/rfc/rfc2477.txt- Security ../data/rfc/rfc2477.txt- In the process of authenticating and authorizing the user session, ../data/rfc/rfc2477.txt- it may be desirable to provide protection against a variety of ../data/rfc/rfc2477.txt- security threats. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt:3.3. Accounting Subsystem ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: The function of the accounting subsystem is to enable the ../data/rfc/rfc2477.txt- participants in the roaming consortium to keep track of what ../data/rfc/rfc2477.txt- resources are used during a session. Relevant information includes ../data/rfc/rfc2477.txt- how long the user was connected to the service, connection speed, ../data/rfc/rfc2477.txt- port type, etc. ../data/rfc/rfc2477.txt- -- ../data/rfc/rfc2477.txt- provide sufficient scalability to allow for the formation of ../data/rfc/rfc2477.txt- roaming associations with thousands of ISP members. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- RADIUS Support ../data/rfc/rfc2477.txt- Given the current popularity and near ubiquity of RADIUS [2,3] as ../data/rfc/rfc2477.txt: an authentication, authorization and accounting solution, a ../data/rfc/rfc2477.txt- roaming standard MUST be able to incorporate RADIUS-enabled ../data/rfc/rfc2477.txt- devices within the roaming architecture. It is expected that this ../data/rfc/rfc2477.txt- will be accomplished by development of gateways between RADIUS and ../data/rfc/rfc2477.txt: the roaming standard authentication, authorization, and accounting ../data/rfc/rfc2477.txt- protocol. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-4.2.4. NAS Configuration/Authorization ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- In order to ensure compatibility with the NAS or the local network, -- ../data/rfc/rfc2477.txt- to support data object security. As a result, a roaming standard ../data/rfc/rfc2477.txt- MUST provide end-to-end confidentiality and integrity protection ../data/rfc/rfc2477.txt- on an attribute-by-attribute basis. However, non-repudiation is ../data/rfc/rfc2477.txt- NOT a requirement for a roaming standard. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt:4.3. Accounting requirements ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: Real-time accounting ../data/rfc/rfc2477.txt: In today's roaming implementations, real-time accounting is a ../data/rfc/rfc2477.txt- practical necessity in order to support fraud detection and risk ../data/rfc/rfc2477.txt- management. As a result, a roaming standard MUST provide support ../data/rfc/rfc2477.txt: for real-time accounting. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: Accounting record formats ../data/rfc/rfc2477.txt: Today there is no proposed standard for NAS accounting, and there ../data/rfc/rfc2477.txt- is wide variation in the protocols used by providers to ../data/rfc/rfc2477.txt: communicate accounting information within their own organizations. ../data/rfc/rfc2477.txt- Therefore, a roaming standard MUST prescribe a standardized format ../data/rfc/rfc2477.txt: for accounting records. For the sake of efficiency, the record ../data/rfc/rfc2477.txt- format MUST be compact. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- Extensibility ../data/rfc/rfc2477.txt: A standard accounting record format MUST be able to encode metrics ../data/rfc/rfc2477.txt- commonly used to determine the user's bill. Since these metrics ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-Aboba & Zorn Informational [Page 9] ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-RFC 2477 Evaluating Roaming Protocols January 1999 ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: change over time, the accounting record format MUST be extensible ../data/rfc/rfc2477.txt- so as to be able to add future metrics as they come along. The ../data/rfc/rfc2477.txt- record format MUST support both standard metrics as well as ../data/rfc/rfc2477.txt- vendor-specific metrics. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt-5. References -- ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- [2] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote ../data/rfc/rfc2477.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, April ../data/rfc/rfc2477.txt- 1997. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt: [3] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement ../data/rfc/rfc2477.txt- Levels", BCP 14, RFC 2119, March 1997. ../data/rfc/rfc2477.txt- ../data/rfc/rfc2477.txt- [5] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. -- ../data/rfc/rfc3010.txt- With delegations, a client is able to avoid writing data to the ../data/rfc/rfc3010.txt- server when the CLOSE of a file is serviced. The CLOSE operation is ../data/rfc/rfc3010.txt- the usual point at which the client is notified of a lack of stable ../data/rfc/rfc3010.txt- storage for the modified file data generated by the application. At ../data/rfc/rfc3010.txt- the CLOSE, file data is written to the server and through normal ../data/rfc/rfc3010.txt: accounting the server is able to determine if the available file ../data/rfc/rfc3010.txt- system space for the data has been exceeded (i.e. server returns ../data/rfc/rfc3010.txt: NFS4ERR_NOSPC or NFS4ERR_DQUOT). This accounting includes quotas. ../data/rfc/rfc3010.txt- The introduction of delegations requires that a alternative method be ../data/rfc/rfc3010.txt- in place for the same type of communication to occur between client ../data/rfc/rfc3010.txt- and server. ../data/rfc/rfc3010.txt- ../data/rfc/rfc3010.txt- In the delegation response, the server provides either the limit of -- ../data/rfc/rfc1192.txt- area network services -- and possibly avoid the imposition of ../data/rfc/rfc1192.txt- standard institutional overhead on direct funding. However, if ../data/rfc/rfc1192.txt- vouchers can be sold to other institutions, as economists would ../data/rfc/rfc1192.txt- advocate in the interests of market efficiency, these advantages may ../data/rfc/rfc1192.txt- be compromised. Even non-transferable vouchers may create a unique ../data/rfc/rfc1192.txt: set of accounting problems for both funding agencies and ../data/rfc/rfc1192.txt- institutional recipients. ../data/rfc/rfc1192.txt- ../data/rfc/rfc1192.txt- A federal subsidy channeled automatically to research grants could ../data/rfc/rfc1192.txt- substantially limit or segregate the user community. It would tend ../data/rfc/rfc1192.txt- to divide the academic community by exacerbating obvious divisions -- ../data/rfc/rfc1192.txt- TymNet), which are sometimes seen as competitive to Internet ../data/rfc/rfc1192.txt- services, do bill on a connect-time basis. However, these commercial ../data/rfc/rfc1192.txt- services use X.25 connection-based packet-switching -- rather than ../data/rfc/rfc1192.txt- the connectionless (datagram) TCP/IP packet-switching used on the ../data/rfc/rfc1192.txt- Internet. Internet services could conceivably be billed on per- ../data/rfc/rfc1192.txt: packet basis, but the accounting overhead would be high and packets ../data/rfc/rfc1192.txt- do not contain information about individual users. At bottom, this ../data/rfc/rfc1192.txt- is a marketing issue, and there is no evidence of any market for ../data/rfc/rfc1192.txt- metered services -- except possibly among very small users. The ../data/rfc/rfc1192.txt- private suppliers, Alternet and PSI, both sell "pipes" not packets. ../data/rfc/rfc1192.txt- -- ../data/rfc/rfc1700.txt-64-149 Unassigned [JBP] ../data/rfc/rfc1700.txt-150 Xerox NS IDP [ETHERNET,XEROX] ../data/rfc/rfc1700.txt-151 Unassigned [JBP] ../data/rfc/rfc1700.txt-152 PARC Universal Protocol [PUP,XEROX] ../data/rfc/rfc1700.txt-153 TIP Status Reporting [JGH] ../data/rfc/rfc1700.txt:154 TIP Accounting [JGH] ../data/rfc/rfc1700.txt-155 Internet Protocol [regular] [RFC791,JBP] ../data/rfc/rfc1700.txt-156-158 Internet Protocol [experimental] [RFC791,JBP] ../data/rfc/rfc1700.txt-159 Figleaf Link [JBW1] ../data/rfc/rfc1700.txt-160 Blacker Local Network Protocol [DM28] ../data/rfc/rfc1700.txt-161-194 Unassigned [JBP] -- ../data/rfc/rfc7597.txt- part of obtaining IPv6 Internet access. ../data/rfc/rfc7597.txt- ../data/rfc/rfc7597.txt- The MAP provisioning parameters, and hence the IPv4 service itself, ../data/rfc/rfc7597.txt- are tied to the associated End-user IPv6 prefix lifetime; thus, the ../data/rfc/rfc7597.txt- MAP service is also tied to this in terms of authorization, ../data/rfc/rfc7597.txt: accounting, etc. ../data/rfc/rfc7597.txt- ../data/rfc/rfc7597.txt- A single MAP CE MAY be connected to more than one MAP domain, just as ../data/rfc/rfc7597.txt- any router may have more than one IPv4-enabled service-provider- ../data/rfc/rfc7597.txt- facing interface and more than one set of associated addresses ../data/rfc/rfc7597.txt- assigned by DHCP. Each domain within which a given CE operates would -- ../data/rfc/rfc7406.txt- ../data/rfc/rfc7406.txt- In the context of NAA, the IAP and the ISP will probably want to make ../data/rfc/rfc7406.txt- sure that the claimed emergency caller indeed performs an emergency ../data/rfc/rfc7406.txt- call rather than using the network for other purposes, and thereby ../data/rfc/rfc7406.txt- acting fraudulent by skipping any authentication, authorization, and ../data/rfc/rfc7406.txt: accounting procedures. By restricting access of the unauthenticated ../data/rfc/rfc7406.txt- emergency caller to the LoST server and the PSAP URI, traffic can be ../data/rfc/rfc7406.txt- restricted only to emergency calls. This can be accomplished with ../data/rfc/rfc7406.txt- traffic separation. However, the details, e.g., for using filtering, ../data/rfc/rfc7406.txt- ../data/rfc/rfc7406.txt- -- ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt-RFC 3318 Framework Policy Information Base March 2003 ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- implementation specific and may be used for other policy related ../data/rfc/rfc3318.txt: functions like flow accounting purposes and/or other data path ../data/rfc/rfc3318.txt- treatments. ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt-5. The Framework PIB Module ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN -- ../data/rfc/rfc3318.txt- SYNTAX OCTET STRING ../data/rfc/rfc3318.txt- STATUS current ../data/rfc/rfc3318.txt- DESCRIPTION ../data/rfc/rfc3318.txt- "This internal label is implementation specific and may be ../data/rfc/rfc3318.txt- used for other policy related functions like flow ../data/rfc/rfc3318.txt: accounting purposes and/or other data path treatments." ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- ::= { frwkILabelMarkerEntry 2 } ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- ../data/rfc/rfc3318.txt- -- ../data/rfc/rfc959.txt- the control connections are made (some servers may require ../data/rfc/rfc959.txt- this). Additional identification information in the form of ../data/rfc/rfc959.txt- a password and/or an account command may also be required by ../data/rfc/rfc959.txt- some servers. Servers may allow a new USER command to be ../data/rfc/rfc959.txt- entered at any point in order to change the access control ../data/rfc/rfc959.txt: and/or accounting information. This has the effect of ../data/rfc/rfc959.txt- flushing any user, password, and account information already ../data/rfc/rfc959.txt- supplied and beginning the login sequence again. All ../data/rfc/rfc959.txt- transfer parameters are unchanged and any file transfer in ../data/rfc/rfc959.txt- progress is completed under the old access control ../data/rfc/rfc959.txt- parameters. -- ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- CHANGE WORKING DIRECTORY (CWD) ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- This command allows the user to work with a different ../data/rfc/rfc959.txt- directory or dataset for file storage or retrieval without ../data/rfc/rfc959.txt: altering his login or accounting information. Transfer ../data/rfc/rfc959.txt- parameters are similarly unchanged. The argument is a ../data/rfc/rfc959.txt- pathname specifying a directory or other system dependent ../data/rfc/rfc959.txt- file group designator. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- CHANGE TO PARENT DIRECTORY (CDUP) -- ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- STRUCTURE MOUNT (SMNT) ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- This command allows the user to mount a different file ../data/rfc/rfc959.txt- system data structure without altering his login or ../data/rfc/rfc959.txt: accounting information. Transfer parameters are similarly ../data/rfc/rfc959.txt- unchanged. The argument is a pathname specifying a ../data/rfc/rfc959.txt- directory or other system dependent file group designator. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- REINITIALIZE (REIN) ../data/rfc/rfc959.txt- -- ../data/rfc/rfc959.txt- information, such as status or help. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- x2z Connections - Replies referring to the control and ../data/rfc/rfc959.txt- data connections. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt: x3z Authentication and accounting - Replies for the login ../data/rfc/rfc959.txt: process and accounting procedures. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- x4z Unspecified as yet. ../data/rfc/rfc959.txt- ../data/rfc/rfc959.txt- x5z File system - These replies indicate the status of the ../data/rfc/rfc959.txt- Server file system vis-a-vis the requested transfer or -- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt-1. Introduction ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- The RADIUS [RFC2865] protocol carries authentication, authorization, ../data/rfc/rfc7499.txt: and accounting information between a RADIUS Client and a RADIUS ../data/rfc/rfc7499.txt- Server. Information is exchanged between them through RADIUS ../data/rfc/rfc7499.txt- packets. Each RADIUS packet is composed of a header, and zero or ../data/rfc/rfc7499.txt- more attributes, up to a maximum packet size of 4096 bytes. The ../data/rfc/rfc7499.txt- protocol is a request/response protocol, as described in the ../data/rfc/rfc7499.txt- operational model ([RFC6158], Section 3.1). -- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- This means that peers desiring to send large amounts of data must ../data/rfc/rfc7499.txt- fragment it across multiple packets. For example, RADIUS-EAP ../data/rfc/rfc7499.txt- [RFC3579] defines how an Extensible Authentication Protocol (EAP) ../data/rfc/rfc7499.txt- exchange occurs across multiple Access-Request / Access-Challenge ../data/rfc/rfc7499.txt: sequences. No such exchange is possible for accounting or ../data/rfc/rfc7499.txt- authorization data. [RFC6158], Section 3.1 suggests that exchanging ../data/rfc/rfc7499.txt- large amounts of authorization data is unnecessary in RADIUS. ../data/rfc/rfc7499.txt- Instead, the data should be referenced by name. This requirement ../data/rfc/rfc7499.txt- allows large policies to be pre-provisioned and then referenced in an ../data/rfc/rfc7499.txt- Access-Accept. In some cases, however, the authorization data sent -- ../data/rfc/rfc7499.txt- limitation (e.g., RADIUS-EAP). Moreover, as they represent the most ../data/rfc/rfc7499.txt- critical part of a RADIUS conversation, it is preferable to not ../data/rfc/rfc7499.txt- introduce into their operation any modification that may affect ../data/rfc/rfc7499.txt- existing equipment. ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt: There is no need to fragment accounting packets either. While the ../data/rfc/rfc7499.txt: accounting process can send large amounts of data, that data is ../data/rfc/rfc7499.txt- typically composed of many small updates. That is, there is no ../data/rfc/rfc7499.txt- demonstrated need to send indivisible blocks of more than 4 kilobytes ../data/rfc/rfc7499.txt- of data. The need to send large amounts of data per user session ../data/rfc/rfc7499.txt: often originates from the need for flow-based accounting. In this ../data/rfc/rfc7499.txt: use case, the RADIUS Client may send accounting data for many ../data/rfc/rfc7499.txt- thousands of flows, where all those flows are tied to one user ../data/rfc/rfc7499.txt- session. The existing Acct-Multi-Session-Id attribute defined in ../data/rfc/rfc7499.txt- [RFC2866], Section 5.11 has been proven to work here. ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- Similarly, there is no need to fragment Change-of-Authorization (CoA) -- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- The bulk data can often be pushed off to storage methods other than ../data/rfc/rfc7499.txt- the memory of the RADIUS implementation. For example, it can be ../data/rfc/rfc7499.txt- stored in an external database or in files. This approach mitigates ../data/rfc/rfc7499.txt- the resource exhaustion issue, as RADIUS Servers today already store ../data/rfc/rfc7499.txt: large amounts of accounting data. ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- -- ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- [RADIUS-Larger-Pkts] ../data/rfc/rfc7499.txt- Hartman, S., "Larger Packets for RADIUS over TCP", Work in ../data/rfc/rfc7499.txt- Progress, draft-ietf-radext-bigger-packets-03, March 2015. ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000, ../data/rfc/rfc7499.txt- <http://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc7499.txt- ../data/rfc/rfc7499.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication ../data/rfc/rfc7499.txt- Dial In User Service) Support For Extensible ../data/rfc/rfc7499.txt- Authentication Protocol (EAP)", RFC 3579, September 2003, -- ../data/rfc/rfc5116.txt- user of the application and the VM avoid unintentional mistakes of ../data/rfc/rfc5116.txt- this sort. The possibility exists that an attacker can cause a VM ../data/rfc/rfc5116.txt- rollback; threats and mitigations in that scenario are an area of ../data/rfc/rfc5116.txt- active research. For perspective, we note that an attacker who can ../data/rfc/rfc5116.txt- trigger such a rollback may have already succeeded in subverting the ../data/rfc/rfc5116.txt: security of the system, e.g., by causing an accounting error. ../data/rfc/rfc5116.txt- ../data/rfc/rfc5116.txt- An IANA registration of an AEAD algorithm MUST NOT be regarded as an ../data/rfc/rfc5116.txt- endorsement of its security. Furthermore, the perceived security ../data/rfc/rfc5116.txt- level of an algorithm can degrade over time, due to cryptanalytic ../data/rfc/rfc5116.txt- advances or to "Moore's Law", that is, the diminishing cost of -- ../data/rfc/rfc6035.txt-; using the ABNF format provided in RFC 3339, ../data/rfc/rfc6035.txt-; "Date and Time on the Internet: Timestamps" ../data/rfc/rfc6035.txt-; These timestamps SHOULD reflect, as closely as ../data/rfc/rfc6035.txt-; possible, the actual time during which the media session ../data/rfc/rfc6035.txt-; was running to enable correlation to events occurring ../data/rfc/rfc6035.txt:; in the network infrastructure and to accounting records. ../data/rfc/rfc6035.txt-; Time zones other than "Z" are not allowed. ../data/rfc/rfc6035.txt- ../data/rfc/rfc6035.txt-TimeStamps = "Timestamps" HCOLON StartTime WSP StopTime ../data/rfc/rfc6035.txt-StartTime = "START" EQUAL date-time ../data/rfc/rfc6035.txt-StopTime = "STOP" EQUAL date-time -- ../data/rfc/rfc6035.txt- Following SIP and other IETF conventions, timestamps are provided in ../data/rfc/rfc6035.txt- Coordinated Universal Time (UTC) using the ABNF format provided in ../data/rfc/rfc6035.txt- RFC 3339 [7]. These timestamps SHOULD reflect, as closely as ../data/rfc/rfc6035.txt- possible, the actual time during which the media session was running ../data/rfc/rfc6035.txt- to enable correlation to related events occurring in the network and ../data/rfc/rfc6035.txt: to accounting or billing records. ../data/rfc/rfc6035.txt- ../data/rfc/rfc6035.txt- ../data/rfc/rfc6035.txt- ../data/rfc/rfc6035.txt- ../data/rfc/rfc6035.txt-Pendleton, et al. Standards Track [Page 21] -- ../data/rfc/rfc5690.txt- will not necessarily be able to tell if ACK congestion control is ../data/rfc/rfc5690.txt- being used correctly by the sender, because drops of ACK packets ../data/rfc/rfc5690.txt- might be occurring after the ACK packets have left the router. ../data/rfc/rfc5690.txt- However, if the router sees the ACK Ratio options sent from the ../data/rfc/rfc5690.txt- sender, the router will be able to tell if the sender is correctly ../data/rfc/rfc5690.txt: accounting for those ACK packets that are dropped or ECN-marked on ../data/rfc/rfc5690.txt- the path from the receiver to the router. ../data/rfc/rfc5690.txt- ../data/rfc/rfc5690.txt-10. IANA Considerations ../data/rfc/rfc5690.txt- ../data/rfc/rfc5690.txt- No IANA action is needed at this time. If this document was advanced -- ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- * The provider is not able to distinguish the traffic belonging ../data/rfc/rfc7620.txt- to the visiting terminal from the traffic of the subscriber ../data/rfc/rfc7620.txt- owning the RG. This is needed to identify which policies are ../data/rfc/rfc7620.txt: to be enforced such as: accounting, Differentiated Services ../data/rfc/rfc7620.txt- Code Point (DSCP) remarking, black list, etc. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- * Similar to the CGN case Section 3, a misbehaving visiting ../data/rfc/rfc7620.txt- terminal is likely to have some impact on the experienced ../data/rfc/rfc7620.txt- service by the subscriber owning the RG (e.g., some of the -- ../data/rfc/rfc7620.txt- SeGW would have the complete knowledge of such mapping, but the ../data/rfc/rfc7620.txt- reasons for being unable to use SeGW for this purpose are explained ../data/rfc/rfc7620.txt- in Section 2 of [IKEv2-CP-EXT]. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- This scenario involves PCRF/BPCF, but it is valid in other deployment ../data/rfc/rfc7620.txt: scenarios making use of Authentication, Authorization, and Accounting ../data/rfc/rfc7620.txt- (AAA) servers. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- The issue of correlating the internal IP address and the public IP ../data/rfc/rfc7620.txt- address is valid even if there is no NAT in the path. ../data/rfc/rfc7620.txt- -- ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- In the Policy for Convergence of Fixed Mobile Convergence (FMC) ../data/rfc/rfc7620.txt- scenario, the fixed broadband network must partner with the mobile ../data/rfc/rfc7620.txt- network to acquire the policies for the terminals or hosts attaching ../data/rfc/rfc7620.txt- to the fixed broadband network, shown in Figure 15, so that host- ../data/rfc/rfc7620.txt: specific QoS and accounting policies can be applied. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- A UE is connected to the RG, which is routed back to the mobile ../data/rfc/rfc7620.txt- network. The mobile operator's PCRF needs to maintain the ../data/rfc/rfc7620.txt- interconnect with the BPCF in the BBF network for PCC (Section 8). ../data/rfc/rfc7620.txt- The hosts (i.e., UEs) attaching to a fixed broadband network with a -- ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- HOST_1 in Figure 16 creates a 128-bit IPv6 address using this prefix ../data/rfc/rfc7620.txt- and adding its interface ID. Having completed the address ../data/rfc/rfc7620.txt- configuration, the host can start communication with a remote host ../data/rfc/rfc7620.txt- over the Internet. However, no specific IP-CAN session can be ../data/rfc/rfc7620.txt: assigned to HOST_1, and consequently the QoS and accounting performed ../data/rfc/rfc7620.txt- will be based on RG subscription. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- Another host, e.g., HOST_2, attaches to the RG and also establishes ../data/rfc/rfc7620.txt- an IPv6 address using the home network prefix. The edge router, or ../data/rfc/rfc7620.txt- BNG, is not involved with this or any other such address assignments. ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- This leads to the case where no specific IP-CAN session/sub-session ../data/rfc/rfc7620.txt- can be assigned to the hosts, HOST_1, HOST_2, etc., and consequently ../data/rfc/rfc7620.txt: the QoS and accounting performed can only be based on RG subscription ../data/rfc/rfc7620.txt- and is not host specific. Therefore, IPv6 prefix sharing in the ../data/rfc/rfc7620.txt- Policy for Convergence scenario leads to similar issues as the ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- ../data/rfc/rfc7620.txt- -- ../data/rfc/rfc1927.txt- so a supply of staples could be used be used by several ../data/rfc/rfc1927.txt- programs. ../data/rfc/rfc1927.txt- ../data/rfc/rfc1927.txt-3) recycling electronic staples and paper clips ../data/rfc/rfc1927.txt- ../data/rfc/rfc1927.txt: 1) to assure proper accounting, and to detect patent violations ../data/rfc/rfc1927.txt- (people making their own electronic staples), it may be ../data/rfc/rfc1927.txt- necessary to attach a certificate to each staple or paper ../data/rfc/rfc1927.txt- clip. ../data/rfc/rfc1927.txt- ../data/rfc/rfc1927.txt- -- ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt-RFC 4640 PS Bootstrapping Mobile IPv6 September 2006 ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- One typical way of verifying the trust relationship is using ../data/rfc/rfc4640.txt: authentication, authorization, and accounting (AAA) ../data/rfc/rfc4640.txt- infrastructure. In this document, two distinct uses of AAA are ../data/rfc/rfc4640.txt- considered: ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- AAA for Network Access ../data/rfc/rfc4640.txt- -- ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt-5.2.1. Integration with AAA Infrastructure ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- The current IKEv1-based dynamic key exchange protocol, described in ../data/rfc/rfc4640.txt- [RFC3776], has no integration with backend authentication, ../data/rfc/rfc4640.txt: authorization, and accounting techniques unless the authentication ../data/rfc/rfc4640.txt- credentials and trust relationships use certificates or pre-shared ../data/rfc/rfc4640.txt- secrets. ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- Certificates are not easily supported by traditional AAA ../data/rfc/rfc4640.txt- infrastructures. Where a traditional AAA infrastructure is used, the -- ../data/rfc/rfc4640.txt- mobile node gains access to the foreign network, in order to ../data/rfc/rfc4640.txt- authenticate the mobile node's identity and determine whether the ../data/rfc/rfc4640.txt- mobile node is authorized for mobility service. ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- The lack of connection to the AAA infrastructure also means that the ../data/rfc/rfc4640.txt: home agent does not know where to send accounting records at ../data/rfc/rfc4640.txt- appropriate times during the mobile node's session, as determined by ../data/rfc/rfc4640.txt- the business relationship between the MSP and the mobile node's ../data/rfc/rfc4640.txt- owner. ../data/rfc/rfc4640.txt- ../data/rfc/rfc4640.txt- Presumably, some backend AAA protocol between the home agent and home -- ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-3141 Hiller Jun 2001 CDMA2000 Wireless Data ../data/rfc/rfc3199.txt- Requirements for AAA ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-This memo specifies cdma2000 wireless data AAA (Authentication, ../data/rfc/rfc3199.txt:Authorization, Accounting) requirements associated with third generation ../data/rfc/rfc3199.txt-wireless architecture that supports roaming among service providers for ../data/rfc/rfc3199.txt-traditional PPP and Mobile IP services. This memo provides information ../data/rfc/rfc3199.txt-for the Internet community. ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt- -- ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-RFC 3199 Summary of 3100-3199 February 2003 ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-3127 Mitton Jun 2001 Authentication, Authorization, ../data/rfc/rfc3199.txt: and Accounting: Protocol ../data/rfc/rfc3199.txt- Evaluation ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-This memo represents the process and findings of the Authentication, ../data/rfc/rfc3199.txt:Authorization, and Accounting Working Group (AAA WG) panel evaluating ../data/rfc/rfc3199.txt-protocols proposed against the AAA Network Access Requirements, RFC ../data/rfc/rfc3199.txt-2989. This memo provides information for the Internet community. ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt- ../data/rfc/rfc3199.txt-3126 Pinkas Sep 2001 Electronic Signature Formats -- ../data/rfc/rfc6272.txt- 2.3. Network Infrastructure . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc6272.txt- 2.3.1. Domain Name System (DNS) . . . . . . . . . . . . . . . 13 ../data/rfc/rfc6272.txt- 2.3.2. Network Management . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc6272.txt- 3. Specific Protocols . . . . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc6272.txt- 3.1. Security Toolbox . . . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc6272.txt: 3.1.1. Authentication, Authorization, and Accounting (AAA) . 14 ../data/rfc/rfc6272.txt- 3.1.2. Network Layer Security . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc6272.txt- 3.1.3. Transport Layer Security . . . . . . . . . . . . . . . 16 ../data/rfc/rfc6272.txt- 3.1.4. Application Layer Security . . . . . . . . . . . . . . 17 ../data/rfc/rfc6272.txt- 3.1.5. Secure Shell . . . . . . . . . . . . . . . . . . . . . 18 ../data/rfc/rfc6272.txt- 3.1.6. Key Management Infrastructures . . . . . . . . . . . . 18 -- ../data/rfc/rfc6272.txt- ../data/rfc/rfc6272.txt- In this section, having briefly laid out the IP architecture and some ../data/rfc/rfc6272.txt- of the problems that the architecture tries to address, we introduce ../data/rfc/rfc6272.txt- specific protocols that might be appropriate to various Smart Grid ../data/rfc/rfc6272.txt- use cases. Use cases should be analyzed along with privacy, ../data/rfc/rfc6272.txt: Authentication, Authorization, and Accounting (AAA), transport, and ../data/rfc/rfc6272.txt- network solution dimensions. The following sections provide guidance ../data/rfc/rfc6272.txt- for such analysis. ../data/rfc/rfc6272.txt- ../data/rfc/rfc6272.txt-3.1. Security Toolbox ../data/rfc/rfc6272.txt- -- ../data/rfc/rfc6272.txt- specifically designed to mitigate these protocol-specific risks. In ../data/rfc/rfc6272.txt- other cases, the security considerations will identify security- ../data/rfc/rfc6272.txt- relevant services that are required from other network layers to ../data/rfc/rfc6272.txt- achieve appropriate levels of security. ../data/rfc/rfc6272.txt- ../data/rfc/rfc6272.txt:3.1.1. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6272.txt- ../data/rfc/rfc6272.txt- While the term AAA sounds generic and applicable to all sorts of ../data/rfc/rfc6272.txt- security protocols, it has been, in the IETF, used in relation to ../data/rfc/rfc6272.txt- network access authentication and is associated with the RADIUS ../data/rfc/rfc6272.txt- ([RFC2865]) and the Diameter protocol ([RFC3588], [DIME-BASE]) in -- ../data/rfc/rfc6272.txt- cryptographic authentication and key exchange, such as described in ../data/rfc/rfc6272.txt- RFC 5216 [RFC5216] and RFC 5433 [RFC5433]), a protocol that carries ../data/rfc/rfc6272.txt- EAP payloads between the end host and a server-side entity (such as a ../data/rfc/rfc6272.txt- network access server), and a way to carry EAP payloads to back-end ../data/rfc/rfc6272.txt- server infrastructure (potentially in a cross-domain scenario) to ../data/rfc/rfc6272.txt: provide authorization and accounting functionality. The latter part ../data/rfc/rfc6272.txt- is provided by RADIUS and Diameter. To carry EAP payloads between ../data/rfc/rfc6272.txt- the end host and a network access server, different mechanisms have ../data/rfc/rfc6272.txt- been standardized, such as the Protocol for Carrying Authentication ../data/rfc/rfc6272.txt- for Network Access (PANA) [RFC5191] and IEEE 802.1X [IEEE802.1X]. ../data/rfc/rfc6272.txt- For access to remote networks, such as enterprise networks, the -- ../data/rfc/rfc9005.txt-3. Motivation ../data/rfc/rfc9005.txt- ../data/rfc/rfc9005.txt- Paths computed using PCE can be subjected to various policies at both ../data/rfc/rfc9005.txt- the PCE and the PCC. For example, in a centralized TE scenario, ../data/rfc/rfc9005.txt- network operators may instantiate LSPs and specify policies for ../data/rfc/rfc9005.txt: traffic accounting, path monitoring, telemetry, etc., for some LSPs ../data/rfc/rfc9005.txt- via the stateful PCE. Similarly, a PCC could request a user-specific ../data/rfc/rfc9005.txt- or service-specific policy to be applied at the PCE, such as a ../data/rfc/rfc9005.txt- constraints relaxation policy, to meet optimal QoS and resiliency ../data/rfc/rfc9005.txt- levels. ../data/rfc/rfc9005.txt- -- ../data/rfc/rfc3374.txt- In IP access networks that support host mobility, the routing paths ../data/rfc/rfc3374.txt- between the host and the network may change frequently and rapidly. ../data/rfc/rfc3374.txt- In some cases, the host may establish certain context transfer ../data/rfc/rfc3374.txt- candidate services on subnets that are left behind when the host ../data/rfc/rfc3374.txt- moves. Examples of such services are Authentication, Authorization, ../data/rfc/rfc3374.txt: and Accounting (AAA), header compression, and Quality of Service ../data/rfc/rfc3374.txt- (QoS). In order for the host to obtain those services on the new ../data/rfc/rfc3374.txt- subnet, the host must explicitly re-establish the service by ../data/rfc/rfc3374.txt- performing the necessary signaling flows from scratch. In some ../data/rfc/rfc3374.txt- cases, this process would considerably slow the process of ../data/rfc/rfc3374.txt- establishing the mobile host on the new subnet. An alternative is to -- ../data/rfc/rfc3374.txt- 1.0 Introduction................................................2 ../data/rfc/rfc3374.txt- 2.0 Reference Definitions.......................................3 ../data/rfc/rfc3374.txt- 3.0 Scope of the Context Transfer Problem.......................3 ../data/rfc/rfc3374.txt- 4.0 The Need for Context Transfer...............................4 ../data/rfc/rfc3374.txt- 4.1 Fast Context Transfer-candidate Service Re-establishment....4 ../data/rfc/rfc3374.txt: 4.1.1 Authentication, Authorization, and Accounting (AAA).........4 ../data/rfc/rfc3374.txt- 4.1.2 Header Compression..........................................5 ../data/rfc/rfc3374.txt- 4.1.3 Quality of Service (QoS)....................................6 ../data/rfc/rfc3374.txt- 4.2 Interoperability............................................6 ../data/rfc/rfc3374.txt- 5.0 Limitations on Context Transfer.............................7 ../data/rfc/rfc3374.txt- 5.1 Router Compatibility........................................7 -- ../data/rfc/rfc3374.txt- transfer-candidate services that could utilize a context transfer ../data/rfc/rfc3374.txt- solution. In this section, three representative services are ../data/rfc/rfc3374.txt- examined. The consequences of not having a context transfer solution ../data/rfc/rfc3374.txt- are examined as a means of motivating the need for such a solution. ../data/rfc/rfc3374.txt- ../data/rfc/rfc3374.txt:4.1.1 Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc3374.txt- ../data/rfc/rfc3374.txt- One of the more compelling applications of context transfer is ../data/rfc/rfc3374.txt- facilitating the re-authentication of the mobile host and ../data/rfc/rfc3374.txt- re-establishment of the mobile host's authorization for network ../data/rfc/rfc3374.txt- access in a new subnet by transferring the AAA context from the -- ../data/rfc/rfc6136.txt- ../data/rfc/rfc6136.txt- The scope of OAM for any service and/or transport/network ../data/rfc/rfc6136.txt- infrastructure technologies can be very broad in nature. OSI has ../data/rfc/rfc6136.txt- defined the following five generic functional areas commonly ../data/rfc/rfc6136.txt- abbreviated as "FCAPS" [NM-Standards]: a) Fault Management, b) ../data/rfc/rfc6136.txt: Configuration Management, c) Accounting Management, d) Performance ../data/rfc/rfc6136.txt- Management, and e) Security Management. ../data/rfc/rfc6136.txt- ../data/rfc/rfc6136.txt- ../data/rfc/rfc6136.txt- ../data/rfc/rfc6136.txt- -- ../data/rfc/rfc759.txt- 3.6. Message Objects ............................................. 20 ../data/rfc/rfc759.txt- 3.7. Data Elements ............................................... 27 ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt-4. OTHER ISSUES .................................................... 35 ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt: 4.1. Accounting and Billing ...................................... 35 ../data/rfc/rfc759.txt- 4.2. Addressing and Routing ...................................... 36 ../data/rfc/rfc759.txt- 4.3. Encryption .................................................. 37 ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt-5. The MPM: A Possible Architecture ............................... 39 ../data/rfc/rfc759.txt- -- ../data/rfc/rfc759.txt- 4. OTHER ISSUES ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt-This section discusses various other issues that need to be dealt with ../data/rfc/rfc759.txt-in a computer message system. ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt:4.1. Accounting and Billing ../data/rfc/rfc759.txt- ../data/rfc/rfc759.txt: Accounting and billing must be performed by the MPM. The charge to ../data/rfc/rfc759.txt- the user by the message delivery system must be predictable, and so ../data/rfc/rfc759.txt- cannot depend on the actual cost of sending a particular message which ../data/rfc/rfc759.txt- incurs random delays, handling and temporary storage charges. Rather, ../data/rfc/rfc759.txt- these costs must be aggregated and charged back to the users on an ../data/rfc/rfc759.txt- average cost basis. The user of the service may be charged based on -- ../data/rfc/rfc5254.txt- For SS-PWs, a traffic engineered PSN tunnel (i.e., MPLS-TE) may be ../data/rfc/rfc5254.txt- used to ensure that sufficient resources are reserved in the ../data/rfc/rfc5254.txt- P-routers to provide QoS to PWs on the tunnel. In this case, T-PEs ../data/rfc/rfc5254.txt- MUST have the ability to automatically request the PSN tunnel ../data/rfc/rfc5254.txt- resources in the direction of traffic (e.g., admission control of PWs ../data/rfc/rfc5254.txt: onto the PSN tunnel and accounting for reserved bandwidth and ../data/rfc/rfc5254.txt- ../data/rfc/rfc5254.txt- ../data/rfc/rfc5254.txt- ../data/rfc/rfc5254.txt-Bitar, et al. Informational [Page 11] ../data/rfc/rfc5254.txt- -- ../data/rfc/rfc790.txt- 83 123 MIT ML Device [MOON] ../data/rfc/rfc790.txt- 85 125 MIT ML Device [MOON] ../data/rfc/rfc790.txt- 87 127 any terminal link [JBP] ../data/rfc/rfc790.txt- 89 131 SU/MIT Telnet Gateway [MRC] ../data/rfc/rfc790.txt- 91 133 MIT Dover Spooler [EBM] ../data/rfc/rfc790.txt: 93 135 BBN RCC Accounting [DT] ../data/rfc/rfc790.txt- 95 137 SUPDUP [15,MRC] ../data/rfc/rfc790.txt- 97 141 Datacomputer Status [8,JZS] ../data/rfc/rfc790.txt- 99 143 CADC - NIFTP via UCL [PLH] ../data/rfc/rfc790.txt- 101 145 NPL - NIFTP via UCL [PLH] ../data/rfc/rfc790.txt- 103 147 BNPL - NIFTP via UCL [PLH] -- ../data/rfc/rfc790.txt- 2-71 2-107 AHHP Regular Messages [28,17,JBP] ../data/rfc/rfc790.txt- 72-150 110-226 Reserved [JBP] ../data/rfc/rfc790.txt- 151 227 CHAOS Protocol [MOON] ../data/rfc/rfc790.txt- 152 230 PARC Universal Protocol [4,EAT3] ../data/rfc/rfc790.txt- 153 231 TIP Status Reporting [JGH] ../data/rfc/rfc790.txt: 154 232 TIP Accounting [JGH] ../data/rfc/rfc790.txt- 155 233 Internet Protocol (regular) [33,JBP] ../data/rfc/rfc790.txt- 156-158 234-236 Internet Protocol (experimental) [33,JBP] ../data/rfc/rfc790.txt- 159-191 237-277 Measurements [9,VGC] ../data/rfc/rfc790.txt- 192-195 300-303 Unassigned [JBP] ../data/rfc/rfc790.txt- 196-255 304-377 Experimental Protocols [JBP] -- ../data/rfc/rfc7542.txt- "Local" or "Localized" Text ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- "Local" or "localized" text is text that is in either non-UTF-8 or ../data/rfc/rfc7542.txt- non-normalized form. The character set, encoding, and locale are ../data/rfc/rfc7542.txt- (in general) unknown to Authentication, Authorization, and ../data/rfc/rfc7542.txt: Accounting (AAA) network protocols. The client that "knows" the ../data/rfc/rfc7542.txt- locale may have a different concept of this text than other AAA ../data/rfc/rfc7542.txt- entities, which do not know the same locale. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- Network Access Identifier ../data/rfc/rfc7542.txt- -- ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- * The prohibition of the use of unassigned code points in ../data/rfc/rfc7542.txt- Section 2.4 of [RFC4282] effectively prohibits support for new ../data/rfc/rfc7542.txt- scripts. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt: * No Authentication, Authorization, and Accounting (AAA) client, ../data/rfc/rfc7542.txt- proxy, or server has implemented any of the requirements in ../data/rfc/rfc7542.txt- Section 2.4 of [RFC4282], among other sections. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- With international roaming growing in popularity, it is important for ../data/rfc/rfc7542.txt- these issues to be corrected in order to provide robust and -- ../data/rfc/rfc7542.txt- these requirements. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- One example of such use is the "private user identity", which is an ../data/rfc/rfc7542.txt- identifier defined by the 3rd Generation Partnership Project (3GPP). ../data/rfc/rfc7542.txt- That identifier is used to uniquely identify the user to the network. ../data/rfc/rfc7542.txt: The identifier is used for authorization, authentication, accounting, ../data/rfc/rfc7542.txt- administration, etc. The "private user identity" is globally unique ../data/rfc/rfc7542.txt- and is defined by the home network operator. The format of the ../data/rfc/rfc7542.txt- identifier is explicitly the NAI, as stated by Section 13.3 of ../data/rfc/rfc7542.txt- [3GPP]: ../data/rfc/rfc7542.txt- -- ../data/rfc/rfc7542.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc7542.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc7542.txt- RFC 2865, June 2000, ../data/rfc/rfc7542.txt- <http://www.rfc-editor.org/info/rfc2865>. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000, ../data/rfc/rfc7542.txt- <http://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc7542.txt- ../data/rfc/rfc7542.txt- [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode ../data/rfc/rfc7542.txt- for Internationalized Domain Names in Applications ../data/rfc/rfc7542.txt- (IDNA)", RFC 3492, March 2003, -- ../data/rfc/rfc666.txt- it would be unworkable as well as ill-advised to attempt to legislate ../data/rfc/rfc666.txt- the richness represented by existing command languages out of ../data/rfc/rfc666.txt- existence. Further, as it is a closed environment, no naming ../data/rfc/rfc666.txt- conflicts with native commands would arise. ../data/rfc/rfc666.txt- ../data/rfc/rfc666.txt: 5. Accounting and authentication. As evidenced by the spate of RFCs ../data/rfc/rfc666.txt: about the implications of the FTP in regard to both accounting for ../data/rfc/rfc666.txt- use of Network services and authenticating users' identifications ../data/rfc/rfc666.txt- (Bressler's RFC 487, Pogran's RFC 501, and my RFC 505 -- and even ../data/rfc/rfc666.txt- 491), this area is still up in the air. The generic login command ../data/rfc/rfc666.txt- proposed here should help matters, as it allows the Server to ../data/rfc/rfc666.txt- associate an appropriate process with the connection while actuating ../data/rfc/rfc666.txt: appropriate accounting and access control as well, if it chooses. ../data/rfc/rfc666.txt- ../data/rfc/rfc666.txt- 6. Process-process functions. By enabling the invocation of foreign ../data/rfc/rfc666.txt- object programs, the present proposal offers a rubric in which such ../data/rfc/rfc666.txt- process-to-process functions as "parallelism" can be performed. (See ../data/rfc/rfc666.txt- the discussion of the "call" command, below.) Note that the UULP is -- ../data/rfc/rfc82.txt-Meyer [Page 2] ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt-RFC 82 Network Meeting Notes December 1970 ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt: 6) Accounting - In the 2nd half of 1971 more sites will come on ../data/rfc/rfc82.txt: where accounting is important. (They want to send bills.) ../data/rfc/rfc82.txt- Larry Roberts says that there will be a kind of banking system ../data/rfc/rfc82.txt- with bills passed around. Two types of sites: billing sites, ../data/rfc/rfc82.txt- and free but limited access research sites. I see no ../data/rfc/rfc82.txt- fundamental problems. What happens when a research site talks ../data/rfc/rfc82.txt- to a billing site? I think it is do-able. -- ../data/rfc/rfc82.txt- that is better than a simulation package. Various people want ../data/rfc/rfc82.txt- to make measurements. This could be supported by keeping ../data/rfc/rfc82.txt- statistics in NCP's What about increasing the NCP's to include ../data/rfc/rfc82.txt- these? ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt: Long: Putting accounting and measuring into NCP's costs space. Keep ../data/rfc/rfc82.txt- additions to a minimum. ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- Weissman: What about scheduled availability of various systems? ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- Crocker: This has to be coordinated with each individual system -- ../data/rfc/rfc82.txt- Engelbart: If BBN's NCP is ready by February 1971, we'll use it. ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- Crocker: How do people get access? ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- Engelbart: Each site is registered. Any person who gets in on a ../data/rfc/rfc82.txt: site's account has its access. We won't worry about accounting ../data/rfc/rfc82.txt- until saturation occurs. We would like to encourage use of the ../data/rfc/rfc82.txt- agent system to create and use a survey of resources at each site. ../data/rfc/rfc82.txt- Some subgroup should talk about this. ../data/rfc/rfc82.txt- ../data/rfc/rfc82.txt- Crocker: When can people meet to discuss this? (Tomorrow morning) -- ../data/rfc/rfc2600.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc2600.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc2600.txt-ATM-TC-OID Definitions of Textual Conventions and 2514 ../data/rfc/rfc2600.txt- OBJECT-IDENTITIES for ATM Management ../data/rfc/rfc2600.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc2600.txt: and Storage of Accounting Information for ../data/rfc/rfc2600.txt- Connection-Oriented Networks ../data/rfc/rfc2600.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc2600.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc2600.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc2600.txt- Management Protocols ../data/rfc/rfc2600.txt-IPCOM-PPP IP Header Compression over PPP 2509 ../data/rfc/rfc2600.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 -- ../data/rfc/rfc6310.txt-A.2. ATM Management ../data/rfc/rfc6310.txt- ../data/rfc/rfc6310.txt- ATM management and OAM mechanisms are much more evolved than those of ../data/rfc/rfc6310.txt- Frame Relay. There are five broad management-related categories, ../data/rfc/rfc6310.txt- including fault management (FT), Performance management (PM), ../data/rfc/rfc6310.txt: configuration management (CM), Accounting management (AC), and ../data/rfc/rfc6310.txt- Security management (SM). [I.610] describes the functions for the ../data/rfc/rfc6310.txt- operation and maintenance of the physical layer and the ATM layer, ../data/rfc/rfc6310.txt- that is, management at the bit and cell levels. Because of its ../data/rfc/rfc6310.txt- scope, this document will concentrate on ATM fault management ../data/rfc/rfc6310.txt- functions. Fault management functions include the following: -- ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-3588 Calhoun Sep 2003 Diameter Base Protocol ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-The Diameter base protocol is intended to provide an Authentication, ../data/rfc/rfc3599.txt:Authorization and Accounting (AAA) framework for applications such as ../data/rfc/rfc3599.txt-network access or IP mobility. Diameter is also intended to work in ../data/rfc/rfc3599.txt:both local Authentication, Authorization & Accounting and roaming ../data/rfc/rfc3599.txt-situations. This document specifies the message format, transport, ../data/rfc/rfc3599.txt:error reporting, accounting and security services to be used by all ../data/rfc/rfc3599.txt-Diameter applications. The Diameter base application needs to be ../data/rfc/rfc3599.txt-supported by all Diameter implementations. [STANDARDS TRACK] ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-3587 Hinden Aug 2003 IPv6 Global Unicast Address -- ../data/rfc/rfc3599.txt-efficient for both routers and hosts. This memo defines an Experimental ../data/rfc/rfc3599.txt-Protocol for the Internet community. ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-3539 Aboba Jun 2003 Authentication, Authorization ../data/rfc/rfc3599.txt: and Accounting (AAA) Transport ../data/rfc/rfc3599.txt- Profile ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-This document discusses transport issues that arise within protocols for ../data/rfc/rfc3599.txt:Authentication, Authorization and Accounting (AAA). It also provides ../data/rfc/rfc3599.txt-recommendations on the use of transport by AAA protocols. This includes ../data/rfc/rfc3599.txt-usage of standards-track RFCs as well as experimental proposals. ../data/rfc/rfc3599.txt-[STANDARDS TRACK] ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt- -- ../data/rfc/rfc3599.txt-3521 Hamer Apr 2003 Framework for Session Set-up ../data/rfc/rfc3599.txt- with Media Authorization ../data/rfc/rfc3599.txt- ../data/rfc/rfc3599.txt-Establishing multimedia streams must take into account requirements for ../data/rfc/rfc3599.txt-end-to-end QoS, authorization of network resource usage and accurate ../data/rfc/rfc3599.txt:accounting for resources used. During session set up, policies may be ../data/rfc/rfc3599.txt-enforced to ensure that the media streams being requested lie within the ../data/rfc/rfc3599.txt-bounds of the service profile established for the requesting host. ../data/rfc/rfc3599.txt-Similarly, when a host requests resources to provide a certain QoS for a ../data/rfc/rfc3599.txt-packet flow, policies may be enforced to ensure that the required ../data/rfc/rfc3599.txt-resources lie within the bounds of the resource profile established for -- ../data/rfc/rfc2834.txt- section 7.1) has an inherent performance limit. In an LIS with n ../data/rfc/rfc2834.txt- ports, the upper bound on the bandwidth that such a service can ../data/rfc/rfc2834.txt- broadcast is: ../data/rfc/rfc2834.txt- (total bandwidth)/(n+1) ../data/rfc/rfc2834.txt- ../data/rfc/rfc2834.txt: since each message must first enter the broadcast server, accounting ../data/rfc/rfc2834.txt- for the additional 1, and then be sent to all n ports. The broadcast ../data/rfc/rfc2834.txt- server could forward the message destined to the port on which it ../data/rfc/rfc2834.txt- runs internally, thus reducing (n+1) to (n) in a first optimization. ../data/rfc/rfc2834.txt- ../data/rfc/rfc2834.txt- This service is adequate for the standard networking protocols such -- ../data/rfc/rfc4241.txt- ../data/rfc/rfc4241.txt-2.2. IP Layer ../data/rfc/rfc4241.txt- ../data/rfc/rfc4241.txt- After IPV6CP negotiation, the CPE initiates a prefix delegation ../data/rfc/rfc4241.txt- request. The PE chooses a global-scope prefix for the CPE with ../data/rfc/rfc4241.txt: information from an Authentication, Authorization, and Accounting ../data/rfc/rfc4241.txt- (AAA) server or local prefix pools, and it delegates the prefix to ../data/rfc/rfc4241.txt- the CPE. Once the prefix is delegated, the prefix is subnetted and ../data/rfc/rfc4241.txt- assigned to the local interfaces of the CPE. The CPE begins sending ../data/rfc/rfc4241.txt- ../data/rfc/rfc4241.txt- -- ../data/rfc/rfc5713.txt- respectively, describe the potential attacks and the different attack ../data/rfc/rfc5713.txt- forms that are liable to take place within ANCP, while Section 7 ../data/rfc/rfc5713.txt- applies the described potential attacks to ANCP and its different use ../data/rfc/rfc5713.txt- cases. Security policy negotiation, including authentication and ../data/rfc/rfc5713.txt- authorization to define the per-subscriber policy at the policy/AAA ../data/rfc/rfc5713.txt: (Authentication, Authorization, and Accounting) server, is out of the ../data/rfc/rfc5713.txt- scope of this work. As a high-level summary, the following aspects ../data/rfc/rfc5713.txt- need to be considered: ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- Message Protection: ../data/rfc/rfc5713.txt- -- ../data/rfc/rfc5713.txt- A NAS provides access to a service (e.g., network access) and ../data/rfc/rfc5713.txt- operates as a client of the AAA protocol. The AAA client is ../data/rfc/rfc5713.txt- responsible for passing authentication information to designated ../data/rfc/rfc5713.txt- AAA servers and then acting on the response that is returned. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt: Authentication, Authorization, and Accounting (AAA) server: ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- A AAA server is responsible for authenticating users, authorizing ../data/rfc/rfc5713.txt- access to services, and returning authorization information ../data/rfc/rfc5713.txt- (including configuration parameters) back to the AAA client to ../data/rfc/rfc5713.txt- deliver service to the user. As a consequence, service usage ../data/rfc/rfc5713.txt: accounting might be enabled and information about the user's ../data/rfc/rfc5713.txt- resource usage will be sent to the AAA server. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- Access Node (AN): ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- The AN is a network device, usually located at a service provider -- ../data/rfc/rfc5713.txt-Moustafa, et al. Informational [Page 14] ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt-RFC 5713 ANCP Threats January 2010 ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt: control, multicast accounting, and spontaneous admission response. ../data/rfc/rfc5713.txt- This section gives a high-level description of the possible attacks ../data/rfc/rfc5713.txt- that can take place in these cases. Attacks that can occur are ../data/rfc/rfc5713.txt- mostly active attacks. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- On-path active attacks can be as follows: -- ../data/rfc/rfc5713.txt- in the non-continuity of services. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- * Message replay between the AN and the NAS, on the AN or on the ../data/rfc/rfc5713.txt- NAS, leading to a DoS or services fraud. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt: * Message modification to temper with accounting information, for ../data/rfc/rfc5713.txt- example, in order to avoid service charges or, conversely, in ../data/rfc/rfc5713.txt- order to artificially increase service charges on other users. ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- ../data/rfc/rfc5713.txt- -- ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- A B C ----D---- E F G ../data/rfc/rfc1180.txt- | | | | | | | | | ../data/rfc/rfc1180.txt- --o------o------o------o- | -o------o------o------o-- ../data/rfc/rfc1180.txt- Ethernet 1 | Ethernet 2 ../data/rfc/rfc1180.txt: IP network "development" | IP network "accounting" ../data/rfc/rfc1180.txt- | ../data/rfc/rfc1180.txt- | ../data/rfc/rfc1180.txt- | H I J ../data/rfc/rfc1180.txt- | | | | ../data/rfc/rfc1180.txt- --o-----o------o------o-- -- ../data/rfc/rfc1180.txt- IP networks are also given names. If you have 3 IP networks, your ../data/rfc/rfc1180.txt- "networks" file for documenting these names might look something like ../data/rfc/rfc1180.txt- this: ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- 223.1.2 development ../data/rfc/rfc1180.txt: 223.1.3 accounting ../data/rfc/rfc1180.txt- 223.1.4 factory ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- The IP network number is in the first column and its name is in the ../data/rfc/rfc1180.txt- second column. ../data/rfc/rfc1180.txt- -- ../data/rfc/rfc1180.txt- | 1 | |1 2 3| | 1 | ../data/rfc/rfc1180.txt- --------- --------- --------- ../data/rfc/rfc1180.txt- | | | | | ../data/rfc/rfc1180.txt- --------o---------------o- | -o----------------o-------- ../data/rfc/rfc1180.txt- Ethernet 1 | Ethernet 2 ../data/rfc/rfc1180.txt: IP network "Development" | IP network "accounting" ../data/rfc/rfc1180.txt- | ../data/rfc/rfc1180.txt- | -------- ../data/rfc/rfc1180.txt- | | iota | ../data/rfc/rfc1180.txt- | | 1 | ../data/rfc/rfc1180.txt- | -------- -- ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- --------------------------------------------------------------------- ../data/rfc/rfc1180.txt- |network direct/indirect flag router interface number| ../data/rfc/rfc1180.txt- --------------------------------------------------------------------- ../data/rfc/rfc1180.txt- |development direct <blank> 1 | ../data/rfc/rfc1180.txt: |accounting indirect devnetrouter 1 | ../data/rfc/rfc1180.txt- |factory indirect devnetrouter 1 | ../data/rfc/rfc1180.txt- --------------------------------------------------------------------- ../data/rfc/rfc1180.txt- TABLE 10. Alpha Route Table ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- For discussion the table is printed again using numbers instead of -- ../data/rfc/rfc1180.txt- ---------------------------------------------------------------------- ../data/rfc/rfc1180.txt- |network direct/indirect flag router interface number| ../data/rfc/rfc1180.txt- ---------------------------------------------------------------------- ../data/rfc/rfc1180.txt- |development direct <blank> 1 | ../data/rfc/rfc1180.txt- |factory direct <blank> 3 | ../data/rfc/rfc1180.txt: |accounting direct <blank> 2 | ../data/rfc/rfc1180.txt- ---------------------------------------------------------------------- ../data/rfc/rfc1180.txt- TABLE 12. Delta's Route Table ../data/rfc/rfc1180.txt- ../data/rfc/rfc1180.txt- Below is delta's table printed again, without the translation to ../data/rfc/rfc1180.txt- names. -- ../data/rfc/rfc1720.txt- 1673 - Electric Power Research Institute Comments on IPng ../data/rfc/rfc1720.txt- ../data/rfc/rfc1720.txt- This is an information document and does not specify any ../data/rfc/rfc1720.txt- level of standard. ../data/rfc/rfc1720.txt- ../data/rfc/rfc1720.txt: 1672 - Accounting Requirements for IPng ../data/rfc/rfc1720.txt- ../data/rfc/rfc1720.txt- This is an information document and does not specify any ../data/rfc/rfc1720.txt- level of standard. ../data/rfc/rfc1720.txt- ../data/rfc/rfc1720.txt- 1671 - IPng White Paper on Transition and Other Considerations -- ../data/rfc/rfc8711.txt- fundraising, to manage the various contractors that are engaged to ../data/rfc/rfc8711.txt- fulfill the IETF's administrative needs, and to support outreach and ../data/rfc/rfc8711.txt- communications were envisioned. ../data/rfc/rfc8711.txt- ../data/rfc/rfc8711.txt- The IETF has historically benefited from the use of contractors for ../data/rfc/rfc8711.txt: accounting, finance, meeting planning, administrative assistance, ../data/rfc/rfc8711.txt- legal counsel, tools, and web site support, as well as other services ../data/rfc/rfc8711.txt- related to the standards process (e.g., RFC Editor and IANA). Prior ../data/rfc/rfc8711.txt- to making the transition from IASA to IASA 2.0, the IETF budget ../data/rfc/rfc8711.txt- reflected specific support from ISOC for communications and ../data/rfc/rfc8711.txt: fundraising as well as some general support for accounting, finance, ../data/rfc/rfc8711.txt- legal, and other services. The division of responsibilities between ../data/rfc/rfc8711.txt- staff and contractors is at the discretion of the IETF Executive ../data/rfc/rfc8711.txt- Director and their staff. ../data/rfc/rfc8711.txt- ../data/rfc/rfc8711.txt- The IETF has a long history of community involvement in the execution -- ../data/rfc/rfc8711.txt- * Approving any changes to the LLC governance structure. ../data/rfc/rfc8711.txt- ../data/rfc/rfc8711.txt- * Adopting an annual budget and, as necessary, incur any debt. ../data/rfc/rfc8711.txt- ../data/rfc/rfc8711.txt- * Preparing accurate and timely financial statements for ISOC, in ../data/rfc/rfc8711.txt: accordance with generally accepted accounting principles. ../data/rfc/rfc8711.txt- ../data/rfc/rfc8711.txt- * Providing assistance to help facilitate ISOC's tax compliance, ../data/rfc/rfc8711.txt- including but not limited to assistance related to preparing the ../data/rfc/rfc8711.txt- Form 990 and responding to any United States Internal Revenue ../data/rfc/rfc8711.txt- Service (IRS) questions and audits. -- ../data/rfc/rfc2341.txt- 2.3 Virtual dial-up Service - a walk-though 5 ../data/rfc/rfc2341.txt- 3.0 Service Model Issues 7 ../data/rfc/rfc2341.txt- 3.1 Security 7 ../data/rfc/rfc2341.txt- 3.2 Address allocation 8 ../data/rfc/rfc2341.txt- 3.3 Authentication 8 ../data/rfc/rfc2341.txt: 3.4 Accounting 8 ../data/rfc/rfc2341.txt- 4.0 Protocol Definition 9 ../data/rfc/rfc2341.txt- 4.1 Encapsulation within L2F 10 ../data/rfc/rfc2341.txt- 4.1.1 Encapsulation of PPP within L2F 10 ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- -- ../data/rfc/rfc2341.txt- The address should be assigned by the home site and not the ISP. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- + Authorization should be managed by the home site as it would in a ../data/rfc/rfc2341.txt- direct dial-up solution. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt: + Accounting should be performed both by the ISP (for billing ../data/rfc/rfc2341.txt- purposes) and by the user (for charge-back and auditing). ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt-2.2 Topology ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- Shown below is a generic Internet with Public switched Telephone -- ../data/rfc/rfc2341.txt- remote user has become simply another dial-up client of the Home ../data/rfc/rfc2341.txt- Gateway access server, client connectivity can now be managed using ../data/rfc/rfc2341.txt- traditional mechanisms with respect to further authorization, ../data/rfc/rfc2341.txt- protocol access, and filtering. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt: Accounting can be performed at both the NAS as well as the Home ../data/rfc/rfc2341.txt: Gateway. This document illustrates some Accounting techniques which ../data/rfc/rfc2341.txt: are possible using L2F, but the policies surrounding such Accounting ../data/rfc/rfc2341.txt- are outside the scope of this specification. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- Because L2F connect notifications for PPP clients contain sufficient ../data/rfc/rfc2341.txt- information for a Home Gateway to authenticate and initialize its LCP ../data/rfc/rfc2341.txt- state machine, it is not required that the remote user be queried a -- ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt-3.0 Service Model Issues ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- There are several significant differences between the standard ../data/rfc/rfc2341.txt- Internet access service and the Virtual dial-up service with respect ../data/rfc/rfc2341.txt: to authentication, address allocation, authorization and accounting. ../data/rfc/rfc2341.txt- The details of the differences between these services and the ../data/rfc/rfc2341.txt- problems presented by these differences are described below. The ../data/rfc/rfc2341.txt- mechanisms used for Virtual Dial-up service are intended to coexist ../data/rfc/rfc2341.txt- with more traditional mechanisms; it is intended that an ISP's POP ../data/rfc/rfc2341.txt- can simultaneously service ISP clients as well as Virtual dial-up -- ../data/rfc/rfc2341.txt- activities are outside the scope of this specification, but might ../data/rfc/rfc2341.txt- include an additional cycle of LCP authentication, proprietary PPP ../data/rfc/rfc2341.txt- extensions, or textual challenges carried via a TCP/IP telnet ../data/rfc/rfc2341.txt- session. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt:3.4 Accounting ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- It is a requirement that both the Access gateway and the Home Gateway ../data/rfc/rfc2341.txt: can provide accounting data and hence both may count packets, octets ../data/rfc/rfc2341.txt- and connection start and stop times. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt-Valencia, et. al. Historic [Page 8] ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt-RFC 2341 Cisco L2F May 1998 ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt: Since Virtual dial-up is an access service, accounting of connection ../data/rfc/rfc2341.txt- attempts (in particular, failed connection attempts) is of ../data/rfc/rfc2341.txt- significant interest. The Home Gateway can reject new connections ../data/rfc/rfc2341.txt- based on the authentication information gathered by the ISP, with ../data/rfc/rfc2341.txt- corresponding logging. For cases where the Home Gateway accepts the ../data/rfc/rfc2341.txt- connection and then continues with further authentication, the Home ../data/rfc/rfc2341.txt- Gateway might subsequently disconnect the client. For such ../data/rfc/rfc2341.txt- scenarios, the disconnection indication back to the ISP may also ../data/rfc/rfc2341.txt- include a reason. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- Because the Home Gateway can decline a connection based on the ../data/rfc/rfc2341.txt: authentication information collected by the ISP, accounting can ../data/rfc/rfc2341.txt- easily draw a distinction between a series of failed connection ../data/rfc/rfc2341.txt- attempts and a series of brief successful connections. Lacking this ../data/rfc/rfc2341.txt- facility, the Home Gateway must always accept connection requests, ../data/rfc/rfc2341.txt- and would need to exchange a number of PPP packets with the remote ../data/rfc/rfc2341.txt- system. -- ../data/rfc/rfc2341.txt- and received across the Internet. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- + Connection management of L2F and MIDs. The tunnel must be ../data/rfc/rfc2341.txt- initiated and terminated, as must MIDs within the tunnel. ../data/rfc/rfc2341.txt- Termination includes diagnostic codes to assist in the diagnosis ../data/rfc/rfc2341.txt: of problems and to support accounting. ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- While providing these services, the protocol must address the ../data/rfc/rfc2341.txt- following required attributes: ../data/rfc/rfc2341.txt- ../data/rfc/rfc2341.txt- + Low overhead. The protocol must impose a minimal additional -- ../data/rfc/rfc7397.txt- The relationship between the policy enforcement point and the policy ../data/rfc/rfc7397.txt- decision point plays an important role regarding the standardization ../data/rfc/rfc7397.txt- needs and the type of information that needs to be conveyed between ../data/rfc/rfc7397.txt- these two entities. ../data/rfc/rfc7397.txt- ../data/rfc/rfc7397.txt: For example, in an Authentication, Authorization, and Accounting ../data/rfc/rfc7397.txt- (AAA) context, the authorization decision happens at the AAA server ../data/rfc/rfc7397.txt- (after the user requesting access to a network or some application- ../data/rfc/rfc7397.txt- level services had been authenticated). Then, the decision about ../data/rfc/rfc7397.txt- granting access (or rejecting it) is communicated from the AAA server ../data/rfc/rfc7397.txt- to the AAA client at the end of the network access authentication -- ../data/rfc/rfc661.txt- ../data/rfc/rfc661.txt- EXEC (24580,) "The Executive Package" ../data/rfc/rfc661.txt- ../data/rfc/rfc661.txt- This document describes a package that runs in the ../data/rfc/rfc661.txt- setting provided by PCP. It includes procedures and data ../data/rfc/rfc661.txt: stores for user identification, accounting, and usage ../data/rfc/rfc661.txt- information. ../data/rfc/rfc661.txt- ../data/rfc/rfc661.txt- Pathname: [SRI-ARC] <NLS> EXEC.TXT ../data/rfc/rfc661.txt- ../data/rfc/rfc661.txt- FILE (24582,) "The File Package" -- ../data/rfc/rfc5026.txt- +--+ ../data/rfc/rfc5026.txt- ../data/rfc/rfc5026.txt- Figure 2 -- Split Scenario (MSA != MSP) ../data/rfc/rfc5026.txt- ../data/rfc/rfc5026.txt- Note that Figure 1 and Figure 2 assume the use of an Authentication, ../data/rfc/rfc5026.txt: Authorization, and Accounting (AAA) protocol to authenticate and ../data/rfc/rfc5026.txt- authorize the Mobile Node for mobility service. However, since the ../data/rfc/rfc5026.txt- Internet Key Exchange Protocol (IKEv2) allows an Extensible ../data/rfc/rfc5026.txt- Authentication Protocol (EAP) client authentication only and the ../data/rfc/rfc5026.txt- server authentication needs to be performed based on certificates or ../data/rfc/rfc5026.txt- public keys, the Mobile Node potentially requires a Certificate -- ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- 223 - Network Information Center Schedule for Network Users ../data/rfc/rfc1000.txt- 185 - NIC Distribution of Manuals and Handbooks ../data/rfc/rfc1000.txt- 154 - Exposition Style ../data/rfc/rfc1000.txt: 136 - Host Accounting and Administrative Procedures ../data/rfc/rfc1000.txt- 118 - Information Required for Each Service Available to the ../data/rfc/rfc1000.txt- Network ../data/rfc/rfc1000.txt- 095 - Distribution of NWG/RFC's Through the NIC ../data/rfc/rfc1000.txt- 016 - MIT ../data/rfc/rfc1000.txt- -- ../data/rfc/rfc1000.txt- 673 Never Issued. ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- 672 Schantz Dec 74 A Multi-Site Data Collection ../data/rfc/rfc1000.txt- Facility ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt: Applicability of TIP/Tenex protocols beyond TIP accounting. ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- 671 Schantz Dec 74 A Note on Reconnection Protocol ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- Experience with implementation in RSEXEC context. ../data/rfc/rfc1000.txt- -- ../data/rfc/rfc1000.txt- Document ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- Solicitation for review and comment before the Atlantic City NWG ../data/rfc/rfc1000.txt- meetings. ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt: 136 Kahn Apr 71 Host Accounting and Administrative ../data/rfc/rfc1000.txt- Procedures ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- Discussion of a plan to be formulated and accepted for the ../data/rfc/rfc1000.txt: development of a Host accounting system in the ARPA Network. ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- 135 Hathaway Apr 71 Response to RFC 110 ../data/rfc/rfc1000.txt- ../data/rfc/rfc1000.txt- Comments and proposals of new conventions to replace the ones ../data/rfc/rfc1000.txt- proposed in RFC 110. -- ../data/rfc/rfc3317.txt- Figure 5: Action Usage Example ../data/rfc/rfc3317.txt- ../data/rfc/rfc3317.txt- This example uses the frwkILabelMarker PRC defined in [FR-PIB], ../data/rfc/rfc3317.txt- showing the device internal label being used to indicate the micro ../data/rfc/rfc3317.txt- flow that feeds into the aggregated AF flow. This device internal ../data/rfc/rfc3317.txt: label may be used for flow accounting purposes and/or other data path ../data/rfc/rfc3317.txt- treatments. ../data/rfc/rfc3317.txt- ../data/rfc/rfc3317.txt-5.5. Dropper Examples ../data/rfc/rfc3317.txt- ../data/rfc/rfc3317.txt- The Dropper examples below will continue from the Action example -- ../data/rfc/rfc7575.txt- fundamental to the concept. If a problem can be solved in a ../data/rfc/rfc7575.txt- distributed manner, it should not be centralized. ../data/rfc/rfc7575.txt- ../data/rfc/rfc7575.txt- In certain cases, it is today operationally preferable to keep a ../data/rfc/rfc7575.txt- central repository of information, for example, a user database on an ../data/rfc/rfc7575.txt: Authentication, Authorization, and Accounting (AAA) server. An ../data/rfc/rfc7575.txt- Autonomic Network should be able to use such central systems, in ../data/rfc/rfc7575.txt- order to be deployable. It is possible to distribute such databases ../data/rfc/rfc7575.txt- as well, and such efforts should be at least considered. Depending ../data/rfc/rfc7575.txt- on the case, distribution may not be simple replication but may ../data/rfc/rfc7575.txt- involve more complex interactions and organization. -- ../data/rfc/rfc4851.txt- With these motivational goals defined, further secondary design ../data/rfc/rfc4851.txt- criteria are imposed: ../data/rfc/rfc4851.txt- ../data/rfc/rfc4851.txt- o Flexibility to extend the communications inside the tunnel: with ../data/rfc/rfc4851.txt- the growing complexity in network infrastructures, the need to ../data/rfc/rfc4851.txt: gain authentication, authorization, and accounting is also ../data/rfc/rfc4851.txt- evolving. For instance, there may be instances in which multiple ../data/rfc/rfc4851.txt- existing authentication protocols are required to achieve mutual ../data/rfc/rfc4851.txt- authentication. Similarly, different protected conversations may ../data/rfc/rfc4851.txt- be required to achieve the proper authorization once a peer has ../data/rfc/rfc4851.txt- successfully authenticated. -- ../data/rfc/rfc7119.txt- there is a time gap between the times in the Flow Records, then the ../data/rfc/rfc7119.txt- report may be inaccurate. The IPFIX Mediator is only reporting what ../data/rfc/rfc7119.txt- it knows, on the basis of the information made available to it, and ../data/rfc/rfc7119.txt- there may not have been any data to observe during the gap. Then ../data/rfc/rfc7119.txt- again, if there is an overlap in timestamps, there's the potential of ../data/rfc/rfc7119.txt: double-accounting: different Observation Points may have observed the ../data/rfc/rfc7119.txt- same traffic simultaneously. The specification of the precise rules ../data/rfc/rfc7119.txt- for applying Flow Record timestamps at IPFIX Mediators for all the ../data/rfc/rfc7119.txt- different situations is out of the scope of this document. ../data/rfc/rfc7119.txt- ../data/rfc/rfc7119.txt- Note that [RFC7015] provides additional specifications for handling -- ../data/rfc/rfc3897.txt- OPES System that give the impression that unwanted content ../data/rfc/rfc3897.txt- transformation was performed on the data. This can be achieved by ../data/rfc/rfc3897.txt- inserting wrong entity (such OPES processor) identifiers. A ../data/rfc/rfc3897.txt- compromised trace can affect the overall message integrity structure. ../data/rfc/rfc3897.txt- This can affect entities that use message header information to ../data/rfc/rfc3897.txt: perform services such as accounting, load balancing, or reference- ../data/rfc/rfc3897.txt- based services. ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- -- ../data/rfc/rfc3897.txt-RFC 3897 OPES Entities & End Points Communication September 2004 ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- Attackers can use the bypass instruction to affect the overall ../data/rfc/rfc3897.txt- integrity of the OPES System. The ability to introduce bypass ../data/rfc/rfc3897.txt: instructions into a data flow may effect the accounting of the OPES ../data/rfc/rfc3897.txt- System. It may also affect the quality of content that is delivered ../data/rfc/rfc3897.txt- to the data consumer applications. Similar threats can arise from ../data/rfc/rfc3897.txt- bad implementations of the bypass facility. ../data/rfc/rfc3897.txt- ../data/rfc/rfc3897.txt- Inconsistent or selective bypass is also a threat. Here, one end can -- ../data/rfc/rfc150.txt-appreciated. Especially of interest are opinions about the usefulness ../data/rfc/rfc150.txt-of the discussion and wether or not there should be more papers ../data/rfc/rfc150.txt-directed at other of the basic questions of computer networking. If ../data/rfc/rfc150.txt-the consensus tends to the affirmative, then others are encouraged to ../data/rfc/rfc150.txt-contribute working papers on the problems of flow control, error ../data/rfc/rfc150.txt:handling, process ownership, accounting, resource control, and the ../data/rfc/rfc150.txt-like. ../data/rfc/rfc150.txt- ../data/rfc/rfc150.txt- ../data/rfc/rfc150.txt-RBK/TX2 ../data/rfc/rfc150.txt- -- ../data/rfc/rfc8886.txt- ../data/rfc/rfc8886.txt-4. Operator Role ../data/rfc/rfc8886.txt- ../data/rfc/rfc8886.txt-4.1. Administrative ../data/rfc/rfc8886.txt- ../data/rfc/rfc8886.txt: When purchasing a new device, the accounting department will need to ../data/rfc/rfc8886.txt- get the unique device identifier (e.g., serial number) of the new ../data/rfc/rfc8886.txt- device and communicate it to the operations group. ../data/rfc/rfc8886.txt- ../data/rfc/rfc8886.txt-4.2. Technical ../data/rfc/rfc8886.txt- -- ../data/rfc/rfc3708.txt- segment receipt through duplicate selective acknowledgment (DSACK) ../data/rfc/rfc3708.txt- [RFC2883] and Duplicate TSN notifications, respectively. Using this ../data/rfc/rfc3708.txt- information, a TCP or SCTP sender can generally determine when a ../data/rfc/rfc3708.txt- retransmission was sent in error. This document presents two methods ../data/rfc/rfc3708.txt- for using duplicate notifications. The first method is simple and ../data/rfc/rfc3708.txt: can be used for accounting applications. The second method is a ../data/rfc/rfc3708.txt- conservative algorithm to disambiguate unnecessary retransmissions ../data/rfc/rfc3708.txt- from loss events for the purpose of undoing unnecessary congestion ../data/rfc/rfc3708.txt- control changes. ../data/rfc/rfc3708.txt- ../data/rfc/rfc3708.txt- -- ../data/rfc/rfc8658.txt- period. DHCPv6 options have been defined to configure clients for ../data/rfc/rfc8658.txt- Lightweight 4over6, Mapping of Address and Port with Encapsulation ../data/rfc/rfc8658.txt- (MAP-E), Mapping of Address and Port using Translation (MAP-T) ../data/rfc/rfc8658.txt- unicast softwire mechanisms, and multicast softwires. However, in ../data/rfc/rfc8658.txt- many networks, configuration information is stored in an ../data/rfc/rfc8658.txt: Authentication, Authorization, and Accounting (AAA) server, which ../data/rfc/rfc8658.txt- utilizes the Remote Authentication Dial In User Service (RADIUS) ../data/rfc/rfc8658.txt- protocol to provide centralized management for users. When a new ../data/rfc/rfc8658.txt- transition mechanism is developed, new RADIUS attributes need to be ../data/rfc/rfc8658.txt- defined correspondingly. ../data/rfc/rfc8658.txt- -- ../data/rfc/rfc8658.txt- multicast services to IPv4 clients over an IPv6 multicast network. ../data/rfc/rfc8658.txt- For each of these mechanisms, DHCPv6 options have been specified for ../data/rfc/rfc8658.txt- client configuration. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- In many networks, user configuration information is stored in an ../data/rfc/rfc8658.txt: Authentication, Authorization, and Accounting (AAA) server. AAA ../data/rfc/rfc8658.txt- servers generally communicate using the Remote Authentication Dial In ../data/rfc/rfc8658.txt- User Service (RADIUS) [RFC2865] protocol. In a fixed broadband ../data/rfc/rfc8658.txt- network, a Broadband Network Gateway (BNG) acts as the access gateway ../data/rfc/rfc8658.txt- for users. That is, the BNG acts as both a AAA client to the AAA ../data/rfc/rfc8658.txt- server and a DHCPv6 server for DHCPv6 messages sent by clients. -- ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- * The Softwire46-Configuration Attribute MAY appear in a CoA-Request ../data/rfc/rfc8658.txt- packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- * The Softwire46-Configuration Attribute MAY appear in an ../data/rfc/rfc8658.txt: Accounting-Request packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- * The Softwire46-Configuration Attribute MUST NOT appear in any ../data/rfc/rfc8658.txt- other RADIUS packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- The Softwire46-Configuration Attribute is structured as follows: -- ../data/rfc/rfc8658.txt- packet. It MAY also appear in an Access-Request packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- The Softwire46-Priority Attribute MAY appear in a CoA-Request ../data/rfc/rfc8658.txt- packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt: The Softwire46-Priority Attribute MAY appear in an Accounting- ../data/rfc/rfc8658.txt- Request packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- The Softwire46-Priority Attribute MUST NOT appear in any other ../data/rfc/rfc8658.txt- RADIUS packet. ../data/rfc/rfc8658.txt- -- ../data/rfc/rfc8658.txt- Softwire46-Multicast, these prefixes may be inserted in the ../data/rfc/rfc8658.txt- attribute. The RADIUS server MAY ignore the hint sent by the BNG, ../data/rfc/rfc8658.txt- and it MAY assign a different Softwire46-Multicast Attribute. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- * The Softwire46-Multicast Attribute MAY appear in an Access- ../data/rfc/rfc8658.txt: Request, Access-Accept, CoA-Request, and Accounting-Request ../data/rfc/rfc8658.txt- packet. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt- * The Softwire46-Multicast Attribute MUST NOT appear in any other ../data/rfc/rfc8658.txt- RADIUS packet. ../data/rfc/rfc8658.txt- -- ../data/rfc/rfc8658.txt- (lwAFTR)/BR. This can be achieved in two ways: static ../data/rfc/rfc8658.txt- preconfiguration of the bindings on both the AAA server and lwAFTR ../data/rfc/rfc8658.txt- or on demand, whereby the AAA server updates the lwAFTR with the ../data/rfc/rfc8658.txt- CE's binding state as it is created or deleted. ../data/rfc/rfc8658.txt- ../data/rfc/rfc8658.txt: In some deployments, the DHCP server may use the Accounting-Request ../data/rfc/rfc8658.txt- to report the softwire configuration returned to a requesting host to ../data/rfc/rfc8658.txt- a AAA server. It is the responsibility of the DHCP server to ensure ../data/rfc/rfc8658.txt- the consistency of the configuration provided to the requesting ../data/rfc/rfc8658.txt- hosts. Reported data to a AAA server may be required for various ../data/rfc/rfc8658.txt- operational purposes (e.g., regulatory). -- ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- The packet format consists of the fields: Code, Identifier, Length, ../data/rfc/rfc3576.txt- Authenticator, and Attributes in Type:Length:Value (TLV) format. All ../data/rfc/rfc3576.txt- fields hold the same meaning as those described in RADIUS [RFC2865]. ../data/rfc/rfc3576.txt- The Authenticator field MUST be calculated in the same way as is ../data/rfc/rfc3576.txt: specified for an Accounting-Request in [RFC2866]. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- 0 1 2 3 ../data/rfc/rfc3576.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc3576.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc3576.txt- | Code | Identifier | Length | -- ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- Request Authenticator ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- In Request packets, the Authenticator value is a 16 octet MD5 ../data/rfc/rfc3576.txt- [RFC1321] checksum, called the Request Authenticator. The Request ../data/rfc/rfc3576.txt: Authenticator is calculated the same way as for an Accounting- ../data/rfc/rfc3576.txt- Request, specified in [RFC2866]. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- Note that the Request Authenticator of a Disconnect or CoA-Request ../data/rfc/rfc3576.txt- cannot be done the same way as the Request Authenticator of a ../data/rfc/rfc3576.txt- RADIUS Access-Request, because there is no User-Password Attribute -- ../data/rfc/rfc3576.txt- here a Disconnect-NAK MUST be sent. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- Since within this specification attributes may be used for ../data/rfc/rfc3576.txt- identification, authorization or other purposes, even if a NAS ../data/rfc/rfc3576.txt- implements an attribute for use with RADIUS authentication and ../data/rfc/rfc3576.txt: accounting, it may not support inclusion of that attribute within ../data/rfc/rfc3576.txt- Disconnect-Request or CoA-Request messages, given the difference ../data/rfc/rfc3576.txt- in attribute semantics. This is true even for attributes ../data/rfc/rfc3576.txt- specified within [RFC2865], [RFC2868], [RFC2869] or [RFC3162] as ../data/rfc/rfc3576.txt- allowable within Access-Accept messages. ../data/rfc/rfc3576.txt- -- ../data/rfc/rfc3576.txt- attribute value is to remain unchanged. Attributes included in a ../data/rfc/rfc3576.txt- CoA-Request replace all existing value(s) of the same attribute(s). ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [Note 4] When included within a successful Disconnect-Request (where ../data/rfc/rfc3576.txt- a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be ../data/rfc/rfc3576.txt: sent unmodified by the client to the accounting server in the ../data/rfc/rfc3576.txt: Accounting Stop packet. If the Disconnect-Request is unsuccessful, ../data/rfc/rfc3576.txt- then the Class Attribute is not processed. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [Note 5] When included within a CoA-Request, these attributes ../data/rfc/rfc3576.txt- represent an authorization change request. Where tunnel attribute(s) ../data/rfc/rfc3576.txt- are sent within a successful CoA-Request, all existing tunnel -- ../data/rfc/rfc3576.txt- used to provide per-packet confidentiality, authentication, integrity ../data/rfc/rfc3576.txt- and replay protection. IKE SHOULD be used for key management. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- Within RADIUS [RFC2865], a shared secret is used for hiding ../data/rfc/rfc3576.txt- Attributes such as User-Password, as well as used in computation of ../data/rfc/rfc3576.txt: the Response Authenticator. In RADIUS accounting [RFC2866], the ../data/rfc/rfc3576.txt- shared secret is used in computation of both the Request ../data/rfc/rfc3576.txt- Authenticator and the Response Authenticator. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- Since in RADIUS a shared secret is used to provide confidentiality as ../data/rfc/rfc3576.txt- well as integrity protection and authentication, only use of IPsec -- ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, ../data/rfc/rfc3576.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc3576.txt- RFC 2865, June 2000. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS ../data/rfc/rfc3576.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", -- ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC ../data/rfc/rfc3576.txt- 2983, October 2000. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [AAATransport] Aboba, B. and J. Wood, "Authentication, Authorization ../data/rfc/rfc3576.txt: and Accounting (AAA) Transport Profile", RFC 3539, ../data/rfc/rfc3576.txt- June 2003. ../data/rfc/rfc3576.txt- ../data/rfc/rfc3576.txt- [Diameter] Calhoun, P., et al., "Diameter Base Protocol", Work in ../data/rfc/rfc3576.txt- Progress. ../data/rfc/rfc3576.txt- -- ../data/rfc/rfc4849.txt- unsupported attribute. It is RECOMMENDED that an Error-Cause ../data/rfc/rfc4849.txt- attribute with value set to "Unsupported Attribute" (401) be included ../data/rfc/rfc4849.txt- in the CoA-NAK. As noted in [RFC3576], authorization changes are ../data/rfc/rfc4849.txt- atomic so that this situation does not result in session termination, ../data/rfc/rfc4849.txt- and the pre-existing configuration remains unchanged. As a result, ../data/rfc/rfc4849.txt: no accounting packets should be generated because of the CoA-Request. ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt-2. NAS-Filter-Rule Attribute ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- Description ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- This attribute indicates filter rules to be applied for this user. ../data/rfc/rfc4849.txt- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-Accept, ../data/rfc/rfc4849.txt: CoA-Request, or Accounting-Request packets. ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- The NAS-Filter-Rule attribute is not intended to be used concurrently ../data/rfc/rfc4849.txt- with any other filter rule attribute, including Filter-Id (11) and ../data/rfc/rfc4849.txt- NAS-Traffic-Rule [Traffic] attributes. NAS-Filter-Rule and NAS- ../data/rfc/rfc4849.txt- Traffic-Rule attributes MUST NOT appear in the same RADIUS packet. -- ../data/rfc/rfc4849.txt- range. ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt-6. Security Considerations ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- This specification describes the use of RADIUS for purposes of ../data/rfc/rfc4849.txt: authentication, authorization and accounting. Threats and security ../data/rfc/rfc4849.txt- issues for this application are described in [RFC3579] and [RFC3580]; ../data/rfc/rfc4849.txt- security issues encountered in roaming are described in [RFC2607]. ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- This document specifies a new attribute that can be included in ../data/rfc/rfc4849.txt- existing RADIUS packets, which are protected as described in -- ../data/rfc/rfc4849.txt- in transit. They do not prevent an authorized RADIUS/Diameter server ../data/rfc/rfc4849.txt- or proxy from modifying, inserting, or removing attributes with ../data/rfc/rfc4849.txt- malicious intent. Filter attributes modified or removed by a ../data/rfc/rfc4849.txt- RADIUS/Diameter proxy may enable a user to obtain network access ../data/rfc/rfc4849.txt- without the appropriate filters; if the proxy were also to modify ../data/rfc/rfc4849.txt: accounting packets, then the modification would not be reflected in ../data/rfc/rfc4849.txt: the accounting server logs. ../data/rfc/rfc4849.txt- ../data/rfc/rfc4849.txt- Since the RADIUS protocol currently does not support capability ../data/rfc/rfc4849.txt- negotiation, a RADIUS server cannot automatically discover whether a ../data/rfc/rfc4849.txt- NAS supports the NAS-Filter-Rule attribute. A legacy NAS not ../data/rfc/rfc4849.txt- compliant with this specification may silently discard the NAS- -- ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt- This document is a framework for how data plane protocols can be ../data/rfc/rfc4378.txt- applied to operations and maintenance procedures for Multi-Protocol ../data/rfc/rfc4378.txt- Label Switching (MPLS). The document is structured to outline how ../data/rfc/rfc4378.txt- Operations and Management (OAM) functionality can be used to assist ../data/rfc/rfc4378.txt: in fault, configuration, accounting, performance, and security ../data/rfc/rfc4378.txt- management, commonly known by the acronym FCAPS. ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt-Table of Contents ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt- 1. Introduction ....................................................2 -- ../data/rfc/rfc4378.txt- 3. Fault Management ................................................2 ../data/rfc/rfc4378.txt- 3.1. Fault Detection ............................................2 ../data/rfc/rfc4378.txt- 3.2. Diagnosis ..................................................6 ../data/rfc/rfc4378.txt- 3.3. Availability ...............................................7 ../data/rfc/rfc4378.txt- 4. Configuration Management ........................................7 ../data/rfc/rfc4378.txt: 5. Accounting ......................................................7 ../data/rfc/rfc4378.txt- 6. Performance Management ..........................................7 ../data/rfc/rfc4378.txt- 7. Security Management .............................................8 ../data/rfc/rfc4378.txt- 8. Security Considerations .........................................9 ../data/rfc/rfc4378.txt- 9. Acknowledgements ................................................9 ../data/rfc/rfc4378.txt- 10. Normative References ...........................................9 -- ../data/rfc/rfc4378.txt-1. Introduction ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt- This memo outlines in broader terms how data plane protocols can ../data/rfc/rfc4378.txt- assist in meeting the Operations and Management (OAM) requirements ../data/rfc/rfc4378.txt- outlined in [RFC4377] and [Y1710] and can apply to the management ../data/rfc/rfc4378.txt: functions of fault, configuration, accounting, performance, and ../data/rfc/rfc4378.txt- security (commonly known as FCAPS) for MPLS networks, as defined in ../data/rfc/rfc4378.txt- [RFC3031]. The approach of the document is to outline functionality, ../data/rfc/rfc4378.txt- the potential mechanisms to provide the function, and the required ../data/rfc/rfc4378.txt- applicability of data plane OAM functions. Included in the ../data/rfc/rfc4378.txt- discussion are security issues specific to use of tools within a -- ../data/rfc/rfc4378.txt- path function is synchronized with the control plane. As part of the ../data/rfc/rfc4378.txt- payload, the probe would carry relevant control plane information ../data/rfc/rfc4378.txt- that the receiver would be able to compare with the local-control ../data/rfc/rfc4378.txt- plane configuration. ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt:5. Accounting ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt: The requirements for accounting in MPLS networks, as specified in ../data/rfc/rfc4378.txt- [RFC4377], do not place any requirements on data plane OAM. ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt-6. Performance Management ../data/rfc/rfc4378.txt- ../data/rfc/rfc4378.txt- Performance management permits the information transfer -- ../data/rfc/rfc1077.txt- 2.5. Network Management and Routing ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- The objective of network management is to ensure that the network ../data/rfc/rfc1077.txt- functions smoothly and efficiently, and consists of the following: ../data/rfc/rfc1077.txt: accounting, security, performance monitoring, fault isolation and ../data/rfc/rfc1077.txt- configuration control. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt: Accounting ensures that users are properly billed for the services ../data/rfc/rfc1077.txt: that the network provides. Accounting enforces a tariff; a tariff ../data/rfc/rfc1077.txt- expresses a usage policy. The network need only keep track of those ../data/rfc/rfc1077.txt- items addressed by the tariff, such as allocated bandwidth, number of ../data/rfc/rfc1077.txt: packets sent, number of ports used, etc. Another type of accounting ../data/rfc/rfc1077.txt- may need to be supported by the network to support resource sharing, ../data/rfc/rfc1077.txt: namely accounting analogous to telephone "900" numbers. This ../data/rfc/rfc1077.txt: accounting performed by the network on behalf of resource providers ../data/rfc/rfc1077.txt- and consumers is a pragmatic solution to the problem of getting the ../data/rfc/rfc1077.txt- users and consumers into a financial relationship with each other ../data/rfc/rfc1077.txt- which has stymied previous attempts to achieve widespread use of ../data/rfc/rfc1077.txt- specialized resources. ../data/rfc/rfc1077.txt- -- ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- One approach is to use a general three-level structure, corresponding ../data/rfc/rfc1077.txt- to interadministrational, intraadministrational, and cluster ../data/rfc/rfc1077.txt- networks. The first level interconnects communication facilities of ../data/rfc/rfc1077.txt- truly separate administrations where there is significant separation ../data/rfc/rfc1077.txt: of security, accounting, and goals. The second level interconnects ../data/rfc/rfc1077.txt- subadministrations which exist for management convenience in large ../data/rfc/rfc1077.txt- organizations. For example, a research group within a university may ../data/rfc/rfc1077.txt- function as a subadministration. The cluster level consists of ../data/rfc/rfc1077.txt- networks configured to provides maximal performance among hosts which ../data/rfc/rfc1077.txt- are in frequent communication, such as a set of diskless workstations -- ../data/rfc/rfc1077.txt- and management. Internetworking must support cohesion within an ../data/rfc/rfc1077.txt- administration and a healthy separation between administrations. To ../data/rfc/rfc1077.txt- illustrate by analogy, the American and Soviet embassies in Mexico ../data/rfc/rfc1077.txt- City are geographically closer to each other than to their respective ../data/rfc/rfc1077.txt- home countries but further in administrational distance, including ../data/rfc/rfc1077.txt: security, accounting, etc. The emerging revolution in WANs makes ../data/rfc/rfc1077.txt- this issue that much more critical. The amount of communication to ../data/rfc/rfc1077.txt- exchange the state of systems is bound to increase enormously. The ../data/rfc/rfc1077.txt- potential cost of failures and security violations is frightening. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- A promising approach appears to be high-level gateways that guard ../data/rfc/rfc1077.txt- between administrations and require negotiations to set up access ../data/rfc/rfc1077.txt- paths between administrations. These paths are set up, and labeled ../data/rfc/rfc1077.txt: with agreements on authorization, security, accounting, and possible ../data/rfc/rfc1077.txt- resource limits. These administrative virtual circuits provide ../data/rfc/rfc1077.txt- transparency to the physical and geographical interconnection, but ../data/rfc/rfc1077.txt- need not support more than datagram packet delivery. One view is ../data/rfc/rfc1077.txt- that of communication contracts with high-level gateways acting as ../data/rfc/rfc1077.txt- -- ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- Networks of today generally select routes based on minimizing some ../data/rfc/rfc1077.txt- measure such as delay. However, in the real world, route selection ../data/rfc/rfc1077.txt- will commonly be constrained at the global level by policy issues, ../data/rfc/rfc1077.txt: such as access rights to resources and accounting and billing for ../data/rfc/rfc1077.txt- usage. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- It is difficult for connectionless protocols such as Internet to deal ../data/rfc/rfc1077.txt- with policy controls, because a lack of state in the gateway implies ../data/rfc/rfc1077.txt- that a separate policy decision must be made for each packet in -- ../data/rfc/rfc1077.txt- one point only, and then attached to the packet. Both of these ../data/rfc/rfc1077.txt- approaches have problems. A two-pronged research program is needed, ../data/rfc/rfc1077.txt- in which mechanisms are proposed, and at the same time the needed ../data/rfc/rfc1077.txt- policies are defined. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt: The same trade-off can be seen for accounting and billing. A single ../data/rfc/rfc1077.txt: accounting metric, such as "bytes times distance", could be proposed. ../data/rfc/rfc1077.txt- This might be somewhat simple to implement, but would not permit the ../data/rfc/rfc1077.txt- definition of individual billing policies, as is now done in the ../data/rfc/rfc1077.txt- parts of the telephone system. The current connectionless transport ../data/rfc/rfc1077.txt- architectures such as TCP/IP or the connectionless ISO configuration ../data/rfc/rfc1077.txt: using TP4 do not have good tools for accounting for traffic, or for ../data/rfc/rfc1077.txt- restricting traffic from certain resources. Building these tools is ../data/rfc/rfc1077.txt: difficult in a connectionless environment, because an accounting or ../data/rfc/rfc1077.txt- control facility must deal with each packet in isolation, which ../data/rfc/rfc1077.txt- implies a significant processing burden as part of packet forwarding. ../data/rfc/rfc1077.txt- This burden is an increasing problem as switches are expected to ../data/rfc/rfc1077.txt- operate faster. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- The lack of these tools is proving a significant problem for network ../data/rfc/rfc1077.txt: design. Not only are accounting and control needed to support ../data/rfc/rfc1077.txt- management requirements, they are needed as a building block to ../data/rfc/rfc1077.txt- support enforcement of such things as multiple qualities of service, ../data/rfc/rfc1077.txt- as discussed above. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt: Network accounting is generally considered to be simply a step that ../data/rfc/rfc1077.txt- leads to billing, and thus is often evaluated in terms of how simple ../data/rfc/rfc1077.txt: or difficult it will be to implement. Yet an accounting and billing ../data/rfc/rfc1077.txt- procedure is a mechanism for implementing a policy considered to be ../data/rfc/rfc1077.txt: desirable for reasons beyond the scope of accounting per se. For ../data/rfc/rfc1077.txt- example, a policy might be established either to encourage or ../data/rfc/rfc1077.txt- discourage network use, while fully recovering operational cost. A ../data/rfc/rfc1077.txt- policy of encouraging use could be implemented by a relatively high ../data/rfc/rfc1077.txt- monthly attachment charge and a relatively low per-packet charge. A ../data/rfc/rfc1077.txt- policy of discouraging use could be implemented by a low monthly -- ../data/rfc/rfc1077.txt- 5. Access charges (e.g., per port, or port * [bandwidth of ../data/rfc/rfc1077.txt- port]). ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt- 6. Distance (e.g., circuit-miles, airline miles, number of hops). ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt: Generally, an accounting procedure can be developed to support ../data/rfc/rfc1077.txt- voluntary user cooperation with almost any single policy objective. ../data/rfc/rfc1077.txt- Difficulties most often arise when there are multiple competing ../data/rfc/rfc1077.txt- policy objectives, or when there is no clear policy at all. ../data/rfc/rfc1077.txt- ../data/rfc/rfc1077.txt: Another aspect of accounting and billing procedures which must be ../data/rfc/rfc1077.txt- carefully considered is the cost of accumulating and processing the ../data/rfc/rfc1077.txt- data on which billing is based. Of particular concern is collection ../data/rfc/rfc1077.txt- of detailed data on a per-packet basis. As network circuit data ../data/rfc/rfc1077.txt- rates increase, the number of instructions which must be executed on ../data/rfc/rfc1077.txt- a per-packet basis can become the limiting factor in system ../data/rfc/rfc1077.txt: throughput. Thus, it may be appropriate to prefer accounting and ../data/rfc/rfc1077.txt- billing policies and procedures which minimize the difficulty of ../data/rfc/rfc1077.txt- collecting data, even if this approach requires a compromise of other ../data/rfc/rfc1077.txt- objectives. Similarly, node memory required for data collection and ../data/rfc/rfc1077.txt- any network bandwidth required for transmission of the data to ../data/rfc/rfc1077.txt- administrative headquarters are factors which must be traded off -- ../data/rfc/rfc187.txt-restart for the network. ../data/rfc/rfc187.txt- ../data/rfc/rfc187.txt-Files routed specifically for execution require a third status message ../data/rfc/rfc187.txt-from the receiving user system. The system must indicate when and how ../data/rfc/rfc187.txt-the job completed execution. This status message will also contain the ../data/rfc/rfc187.txt:appropriate accounting information to allow dynamic updating of network ../data/rfc/rfc187.txt:user and system accounting information. It is not clear at this time ../data/rfc/rfc187.txt-what should be accounted for in the network, but it is an area of prime ../data/rfc/rfc187.txt-concern to operational networks. ../data/rfc/rfc187.txt- ../data/rfc/rfc187.txt-An error in the second logic level can occur during the file ../data/rfc/rfc187.txt-transmission. There may be an error moving files from devices into the -- ../data/rfc/rfc6408.txt- +------------------+----------------------------+ ../data/rfc/rfc6408.txt- | Tag | Diameter Application | ../data/rfc/rfc6408.txt- +------------------+----------------------------+ ../data/rfc/rfc6408.txt- | aaa+ap1 | NASREQ [RFC3588] | ../data/rfc/rfc6408.txt- | aaa+ap2 | Mobile IPv4 [RFC4004] | ../data/rfc/rfc6408.txt: | aaa+ap3 | Base Accounting [RFC3588] | ../data/rfc/rfc6408.txt- | aaa+ap4 | Credit Control [RFC4006] | ../data/rfc/rfc6408.txt- | aaa+ap5 | EAP [RFC4072] | ../data/rfc/rfc6408.txt- | aaa+ap6 | SIP [RFC4740] | ../data/rfc/rfc6408.txt- | aaa+ap7 | Mobile IPv6 IKE [RFC5778] | ../data/rfc/rfc6408.txt- | aaa+ap8 | Mobile IPv6 Auth [RFC5778] | -- ../data/rfc/rfc6408.txt- | Tag | Diameter Application | ../data/rfc/rfc6408.txt- +----------------+--------------------------------------------------+ ../data/rfc/rfc6408.txt- | aaa+ap16777281 | WiMAX Network Access Authentication and | ../data/rfc/rfc6408.txt- | | Authorization Diameter Application (WNAAADA) | ../data/rfc/rfc6408.txt- | | [WiMAX-BASE] | ../data/rfc/rfc6408.txt: | aaa+ap16777282 | WiMAX Network Accounting Diameter Application | ../data/rfc/rfc6408.txt- | | (WNADA) [WiMAX-BASE] | ../data/rfc/rfc6408.txt- | aaa+ap16777283 | WiMAX MIP4 Diameter Application (WM4DA) | ../data/rfc/rfc6408.txt- | | [WiMAX-BASE] | ../data/rfc/rfc6408.txt- | aaa+ap16777284 | WiMAX MIP6 Diameter Application (WM6DA) | ../data/rfc/rfc6408.txt- | | [WiMAX-BASE] | -- ../data/rfc/rfc6930.txt- IPv4 and IPv6 connectivity services simultaneously during the ../data/rfc/rfc6930.txt- IPv4/IPv6 coexistence period. The Dynamic Host Configuration ../data/rfc/rfc6930.txt- Protocol (DHCP) 6rd option has been defined to configure the 6rd ../data/rfc/rfc6930.txt- Customer Edge (CE). However, in many networks, the configuration ../data/rfc/rfc6930.txt- information may be stored in the Authentication Authorization and ../data/rfc/rfc6930.txt: Accounting (AAA) servers, while user configuration is mainly acquired ../data/rfc/rfc6930.txt- from a Broadband Network Gateway (BNG) through the DHCP protocol. ../data/rfc/rfc6930.txt- This document defines a Remote Authentication Dial-In User Service ../data/rfc/rfc6930.txt- (RADIUS) attribute that carries 6rd configuration information from ../data/rfc/rfc6930.txt- the AAA server to BNGs. ../data/rfc/rfc6930.txt- -- ../data/rfc/rfc6930.txt- the 6rd Customer Edge (CE) uses the DHCP 6rd option [RFC5969] to ../data/rfc/rfc6930.txt- discover a 6rd Border Relay and to configure an IPv6 prefix and ../data/rfc/rfc6930.txt- address. ../data/rfc/rfc6930.txt- ../data/rfc/rfc6930.txt- In many networks, user-configuration information is managed by ../data/rfc/rfc6930.txt: Authentication, Authorization, and Accounting (AAA) servers. The ../data/rfc/rfc6930.txt- Remote Authentication Dial-In User Service (RADIUS) protocol ../data/rfc/rfc6930.txt- [RFC2865] is usually used by AAA servers to communicate with network ../data/rfc/rfc6930.txt- elements. In a fixed-line broadband network, the Broadband Network ../data/rfc/rfc6930.txt- Gateways (BNGs) act as the access gateway for users. The BNGs are ../data/rfc/rfc6930.txt- assumed to embed a DHCP server function that allows them to handle -- ../data/rfc/rfc6930.txt- ../data/rfc/rfc6930.txt- The following table adds to the one in [RFC2865], Section 5.44, ../data/rfc/rfc6930.txt- providing a guide to the quantity of IPv6-6rd-Configuration ../data/rfc/rfc6930.txt- attributes that may be found in each kind of packet. ../data/rfc/rfc6930.txt- ../data/rfc/rfc6930.txt: Request Accept Reject Challenge Accounting # Attribute ../data/rfc/rfc6930.txt- Request ../data/rfc/rfc6930.txt- 0-1 0-1 0 0 0-1 173 IPv6-6rd- ../data/rfc/rfc6930.txt- Configuration ../data/rfc/rfc6930.txt- 0-1 0-1 0 0 0-1 1 User-Name ../data/rfc/rfc6930.txt- 0-1 0 0 0 0-1 2 User-Password -- ../data/rfc/rfc2990.txt- 3.4 QoS Routing and Resource Management ................ 10 ../data/rfc/rfc2990.txt- 3.5 TCP and QoS ........................................ 11 ../data/rfc/rfc2990.txt- 3.6 Per-Flow States and Per-Packet classifiers ......... 13 ../data/rfc/rfc2990.txt- 3.7 The Service Set .................................... 14 ../data/rfc/rfc2990.txt- 3.8 Measuring Service Delivery ......................... 14 ../data/rfc/rfc2990.txt: 3.9 QoS Accounting ..................................... 15 ../data/rfc/rfc2990.txt- 3.10 QoS Deployment Diversity .......................... 16 ../data/rfc/rfc2990.txt- 3.11 QoS Inter-Domain signaling ........................ 17 ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- -- ../data/rfc/rfc2990.txt- justified in terms of superior application performance. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- Such measurement methodologies appear to fall within the realm of ../data/rfc/rfc2990.txt- additional refinement to the QoS architecture. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt:3.9 QoS Accounting ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- It is reasonable to anticipate that such forms of premium service and ../data/rfc/rfc2990.txt- customized service will attract an increment on the service tariff. ../data/rfc/rfc2990.txt- The provision of a distinguished service is undertaken with some ../data/rfc/rfc2990.txt- level of additional network resources to support the service, and the -- ../data/rfc/rfc2990.txt- those clients who are requesting a disproportionate level of ../data/rfc/rfc2990.txt- resources, but it provides a means to control the level of demand for ../data/rfc/rfc2990.txt- premium service levels. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- If there are to be incremental tariffs on the use of premium ../data/rfc/rfc2990.txt: services, then some accounting of the use of the premium service ../data/rfc/rfc2990.txt- would appear to be necessary relating use of the service to a ../data/rfc/rfc2990.txt- particular client. So far there is no definition of such an ../data/rfc/rfc2990.txt: accounting model nor a definition as to how to gather the data to ../data/rfc/rfc2990.txt: support the resource accounting function. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- The impact of this QoS service model may be quite profound to the ../data/rfc/rfc2990.txt- models of Internet service provision. The commonly adopted model in ../data/rfc/rfc2990.txt- both the public internet and within enterprise networks is that of a ../data/rfc/rfc2990.txt- model of access, where the clients service tariff is based on the ../data/rfc/rfc2990.txt- characteristics of access to the services, rather than that of the ../data/rfc/rfc2990.txt- actual use of the service. The introduction of QoS services creates ../data/rfc/rfc2990.txt- a strong impetus to move to usage-based tariffs, where the tariff is ../data/rfc/rfc2990.txt- based on the level of use of the network's resources. This, in turn, ../data/rfc/rfc2990.txt- generates a requirement to meter resource use, which is a form of ../data/rfc/rfc2990.txt: usage accounting. This topic was been previously studied within the ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt-Huston Informational [Page 15] ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt-RFC 2990 Next Steps for QoS Architecture November 2000 ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt: IETF under the topic of "Internet Accounting" [11], and further ../data/rfc/rfc2990.txt- refinement of the concepts used in this model, as they apply to QoS ../data/rfc/rfc2990.txt: accounting may prove to be a productive initial step in formulating a ../data/rfc/rfc2990.txt: standards-based model for QoS accounting. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt-3.10 QoS Deployment Diversity ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- It is extremely improbable that any single form of service ../data/rfc/rfc2990.txt- differentiation technology will be rolled out across the Internet and -- ../data/rfc/rfc2990.txt- implementation of fairness of access to the common transmission and ../data/rfc/rfc2990.txt- switching resource. The introduction of any form of fairness, and, ../data/rfc/rfc2990.txt- in the case of QoS, weighted fairness, implies a requirement for ../data/rfc/rfc2990.txt- transparency in the implementation of the fairness contract between ../data/rfc/rfc2990.txt- the network provider and the network's users. This requires some ../data/rfc/rfc2990.txt: form of resource accounting and auditing, which, in turn, requires ../data/rfc/rfc2990.txt- the use of authentication and access control. The balancing factor ../data/rfc/rfc2990.txt- is that a shared resource should not overtly expose the level of ../data/rfc/rfc2990.txt- resource usage of any one user to any other, so that some level of ../data/rfc/rfc2990.txt- secrecy is required in this environment ../data/rfc/rfc2990.txt- -- ../data/rfc/rfc2990.txt- 1998. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- [10] Berger, L. and T. O'Malley, "RSVP Extensions for IPSEC Data ../data/rfc/rfc2990.txt- Flows", RFC 2007, September 1997. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt: [11] Mills, C., Hirsh, D. and G. Ruth, "Internet Accounting: ../data/rfc/rfc2990.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt-9. Acknowledgments ../data/rfc/rfc2990.txt- ../data/rfc/rfc2990.txt- Valuable contributions to this document came from Yoram Bernet, Brian -- ../data/rfc/rfc5080.txt- 2.1.2. Request-ID Supplementation ..........................6 ../data/rfc/rfc5080.txt- 2.2. Overload Conditions ........................................7 ../data/rfc/rfc5080.txt- 2.2.1. Retransmission Behavior .............................7 ../data/rfc/rfc5080.txt- 2.2.2. Duplicate Detection and Orderly Delivery ...........10 ../data/rfc/rfc5080.txt- 2.2.3. Server Response to Overload ........................11 ../data/rfc/rfc5080.txt: 2.3. Accounting Issues .........................................12 ../data/rfc/rfc5080.txt- 2.3.1. Attributes Allowed in an Interim Update ............12 ../data/rfc/rfc5080.txt- 2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12 ../data/rfc/rfc5080.txt- 2.3.3. Request Authenticator ..............................13 ../data/rfc/rfc5080.txt: 2.3.4. Interim-Accounting-Interval ........................13 ../data/rfc/rfc5080.txt- 2.3.5. Counter Values in the RADIUS Management ../data/rfc/rfc5080.txt- Information Base (MIB) .............................14 ../data/rfc/rfc5080.txt- 2.4. Multiple Filter-ID Attributes .............................15 ../data/rfc/rfc5080.txt- 2.5. Mandatory and Optional Attributes .........................16 ../data/rfc/rfc5080.txt- 2.6. Interpretation of Access-Reject ...........................18 -- ../data/rfc/rfc5080.txt- Each service provided by the NAS to a peer constitutes a session, ../data/rfc/rfc5080.txt- with the beginning of the session defined as the point where ../data/rfc/rfc5080.txt- service is first provided, and the end of the session is defined ../data/rfc/rfc5080.txt- as the point where service is ended. A peer may have multiple ../data/rfc/rfc5080.txt- sessions in parallel or series if the NAS supports that, with each ../data/rfc/rfc5080.txt: session generating a separate start and stop accounting record. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- silently discard ../data/rfc/rfc5080.txt- This means the implementation discards the packet without further ../data/rfc/rfc5080.txt- processing. The implementation SHOULD provide the capability of ../data/rfc/rfc5080.txt- logging the error, including the contents of the silently -- ../data/rfc/rfc5080.txt- retransmission mechanism described below. Other retransmission ../data/rfc/rfc5080.txt- mechanisms are possible, as long as they satisfy the requirements on ../data/rfc/rfc5080.txt- jitter and congestive backoff. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- The following algorithms apply to any client that originates RADIUS ../data/rfc/rfc5080.txt: packets, including but not limited to Access-Request, Accounting- ../data/rfc/rfc5080.txt- Request, Disconnect-Request, and CoA-Request [RFC3576]. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- The retransmission behavior is controlled and described by the ../data/rfc/rfc5080.txt- following variables: ../data/rfc/rfc5080.txt- -- ../data/rfc/rfc5080.txt- once MRD seconds have elapsed since the client first transmitted the ../data/rfc/rfc5080.txt- message. If MRC is non-zero, the message exchange fails when either ../data/rfc/rfc5080.txt- the sender has transmitted the message MRC times, or when MRD seconds ../data/rfc/rfc5080.txt- have elapsed since the client first transmitted the message. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt: For Accounting-Request packets, the default values for MRC, MRD, and ../data/rfc/rfc5080.txt- MRT SHOULD be zero. These settings will enable a RADIUS client to ../data/rfc/rfc5080.txt: continue sending accounting requests to a RADIUS server until the ../data/rfc/rfc5080.txt- request is acknowledged. If any of MRC, MRD, or MRT are non-zero, ../data/rfc/rfc5080.txt: then the accounting information could potentially be discarded ../data/rfc/rfc5080.txt- without being recorded. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- -- ../data/rfc/rfc5080.txt- processing new requests from a NAS. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- These methods will allow some users to gain access to the network, ../data/rfc/rfc5080.txt- reducing the load created by ongoing access attempts. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt:2.3. Accounting Issues ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-2.3.1. Attributes Allowed in an Interim Update ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2866] indicates that Acct-Input-Octets, Acct-Output-Octets, ../data/rfc/rfc5080.txt- Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets and Acct- ../data/rfc/rfc5080.txt: Terminate-Cause attributes "can only be present in Accounting-Request ../data/rfc/rfc5080.txt- records where the Acct-Status-Type is set to Stop". ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- However [RFC2869] Section 2.1 states: ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt: It is envisioned that an Interim Accounting record (with Acct- ../data/rfc/rfc5080.txt- Status-Type = Interim-Update (3)) would contain all of the ../data/rfc/rfc5080.txt: attributes normally found in an Accounting Stop message with the ../data/rfc/rfc5080.txt- exception of the Acct-Term-Cause attribute. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- Although [RFC2869] does not indicate that it updates [RFC2866], this ../data/rfc/rfc5080.txt- is an oversight, and the above attributes are allowable in an Interim ../data/rfc/rfc5080.txt: Accounting record. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2866] Section 5.5 describes Acct-Session-Id as Text within the ../data/rfc/rfc5080.txt- figure summarizing the attribute format, but then goes on to state -- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-2.3.3. Request Authenticator ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2866] Section 4.1 states: ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt: The Request Authenticator of an Accounting-Request contains a 16- ../data/rfc/rfc5080.txt- octet MD5 hash value calculated according to the method described ../data/rfc/rfc5080.txt- in "Request Authenticator" above. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- However, the text does not indicate any action to take when an ../data/rfc/rfc5080.txt: Accounting-Request packet contains an invalid Request Authenticator. ../data/rfc/rfc5080.txt- The following text should be considered to be part of the above ../data/rfc/rfc5080.txt- description: ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- The Request Authenticator field MUST contain the correct data, as ../data/rfc/rfc5080.txt- given by the above calculation. Invalid packets are silently -- ../data/rfc/rfc5080.txt- Request Authenticator to all zeros. New implementations of RADIUS ../data/rfc/rfc5080.txt- clients MUST use the above algorithm to calculate the Request ../data/rfc/rfc5080.txt- Authenticator field. New RADIUS server implementations MUST ../data/rfc/rfc5080.txt- silently discard invalid packets. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt:2.3.4. Interim-Accounting-Interval ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2869] Section 2.1 states: ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- It is also possible to statically configure an interim value on ../data/rfc/rfc5080.txt- the NAS itself. Note that a locally configured value on the NAS ../data/rfc/rfc5080.txt- MUST override the value found in an Access-Accept. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- This requirement may be phrased too strongly. It is conceivable that ../data/rfc/rfc5080.txt- a NAS implementation has a setting for a "minimum" value of Interim- ../data/rfc/rfc5080.txt: Accounting-Interval, based on resource constraints in the NAS, and ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-Nelson & DeKok Standards Track [Page 13] ../data/rfc/rfc5080.txt- -- ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- network loading in the local environment of the NAS. In such cases, ../data/rfc/rfc5080.txt- the value administratively provisioned in the NAS should not be ../data/rfc/rfc5080.txt- over-ridden by a smaller value from an Access-Accept message. The ../data/rfc/rfc5080.txt- NAS's value could be over-ridden by a larger one, however. The ../data/rfc/rfc5080.txt: intent is that the NAS sends accounting information at fixed ../data/rfc/rfc5080.txt- intervals that are short enough so that the potential loss of ../data/rfc/rfc5080.txt: billable revenue is limited, but also that the accounting updates are ../data/rfc/rfc5080.txt- infrequent enough so that the NAS, network, and RADIUS server are not ../data/rfc/rfc5080.txt- overloaded. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-2.3.5. Counter Values in the RADIUS Management Information Base (MIB) ../data/rfc/rfc5080.txt- -- ../data/rfc/rfc5080.txt- treated as Access-Rejects. If the flag is set to false, then unknown ../data/rfc/rfc5080.txt- attributes in Access-Accepts are silently ignored. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- On receiving a packet including an attribute of unknown Type, RADIUS ../data/rfc/rfc5080.txt- authentication server implementations SHOULD ignore such attributes. ../data/rfc/rfc5080.txt: However, RADIUS accounting server implementations typically do not ../data/rfc/rfc5080.txt- need to understand attributes in order to write them to stable ../data/rfc/rfc5080.txt: storage or pass them to the billing engine. Therefore, accounting ../data/rfc/rfc5080.txt- server implementations SHOULD be equipped to handle unknown ../data/rfc/rfc5080.txt- attributes. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- To avoid misinterpretation of service requests encoded within VSAs, ../data/rfc/rfc5080.txt- RADIUS servers SHOULD NOT send VSAs containing service requests to -- ../data/rfc/rfc5080.txt- used only for ARAP authentication. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt-2.6.2. Service Request Denial ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- RADIUS has been deployed for purposes outside network access ../data/rfc/rfc5080.txt: authentication, authorization, and accounting. For example, RADIUS ../data/rfc/rfc5080.txt- has been deployed as a "back-end" for authenticating Voice Over IP ../data/rfc/rfc5080.txt- (VOIP) connections, Hypertext Transfer Protocol (HTTP) sessions ../data/rfc/rfc5080.txt- (e.g., Apache), File Transfer Protocol (FTP) sessions (e.g., ../data/rfc/rfc5080.txt- proftpd), and machine logins for multiple operating systems (e.g., ../data/rfc/rfc5080.txt- bsdi, pam, and gina). In those contexts, an Access-Reject sent to -- ../data/rfc/rfc5080.txt- the utility of the cache. This attack can be mitigated by following ../data/rfc/rfc5080.txt- the suggestions in [RFC3579] Section 4, or by requiring the presence ../data/rfc/rfc5080.txt- of Message-Authenticator, as described in Sections 2.1.1 and 2.2.2. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- Since this document describes the use of RADIUS for purposes of ../data/rfc/rfc5080.txt: authentication, authorization, and accounting in a wide variety of ../data/rfc/rfc5080.txt- networks, applications using these specifications are vulnerable to ../data/rfc/rfc5080.txt- all of the threats that are present in other RADIUS applications. ../data/rfc/rfc5080.txt- For a discussion of these threats, see [RFC2865], [RFC2607], ../data/rfc/rfc5080.txt- [RFC3162], [RFC3579], and [RFC3580]. ../data/rfc/rfc5080.txt- -- ../data/rfc/rfc5080.txt- Implementation in Roaming", RFC 2607, June 1999. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client ../data/rfc/rfc5080.txt- MIB", RFC 2618, June 1999. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS ../data/rfc/rfc5080.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc5080.txt- ../data/rfc/rfc5080.txt- [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", -- ../data/rfc/rfc2804.txt- Thus, for instance, monitoring public newsgroups is not wiretapping ../data/rfc/rfc2804.txt- (condition 3 violated), random monitoring of a large population is ../data/rfc/rfc2804.txt- not wiretapping (condition 4 violated), a recipient passing on ../data/rfc/rfc2804.txt- private email is not wiretapping (condition 2 violated). ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt: An Internet equivalent of call tracing by means of accounting logs ../data/rfc/rfc2804.txt- (sometimes called "pen registers") that is a feature of the telephone ../data/rfc/rfc2804.txt- network is also wiretapping by this definition, since the normal ../data/rfc/rfc2804.txt: expectation of the sender is that the company doing the accounting ../data/rfc/rfc2804.txt- will keep this information in confidence. ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt- Wiretapping may logically be thought of as 3 distinct steps: ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt- - Capture - getting information off the wire that contains the -- ../data/rfc/rfc2804.txt- - Whether the wiretap is legal or not, since that is a legal, not a ../data/rfc/rfc2804.txt- technical matter. ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt- - Whether the wiretap occurs in real time, or can be performed after ../data/rfc/rfc2804.txt- the fact by looking at information recorded for other purposes ../data/rfc/rfc2804.txt: (such as the accounting example given above). ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt- - What the medium targeted by the wiretap is - whether it is email, ../data/rfc/rfc2804.txt- IP telephony, Web browsing or EDI transfers. ../data/rfc/rfc2804.txt- ../data/rfc/rfc2804.txt- These questions are believed to be irrelevant to the policy outlined -- ../data/rfc/rfc8581.txt- ../data/rfc/rfc8581.txt- ../data/rfc/rfc8581.txt-8. IANA Considerations ../data/rfc/rfc8581.txt- ../data/rfc/rfc8581.txt- IANA has registered the following values in the "Authentication, ../data/rfc/rfc8581.txt: Authorization, and Accounting (AAA) Parameters" registry: ../data/rfc/rfc8581.txt- ../data/rfc/rfc8581.txt- Two new AVP codes are defined in Section 7.4. ../data/rfc/rfc8581.txt- ../data/rfc/rfc8581.txt- Note that the values used for the OC-Peer-Algo AVP are a subset of ../data/rfc/rfc8581.txt- the "OC-Feature-Vector AVP Values (code 622)" registry. Only the -- ../data/rfc/rfc7921.txt- policy that is contained in a set of access control rules. ../data/rfc/rfc7921.txt- Similarly, it is expected the I2RS identity links to one role that ../data/rfc/rfc7921.txt- has a scope policy specified by a set of access control rules. This ../data/rfc/rfc7921.txt- scope policy can be provided via Local Configuration, exposed as an ../data/rfc/rfc7921.txt- I2RS service for manipulation by authorized clients, or via some ../data/rfc/rfc7921.txt: other method (e.g., Authentication, Authorization, and Accounting ../data/rfc/rfc7921.txt- (AAA) service) ../data/rfc/rfc7921.txt- ../data/rfc/rfc7921.txt- While the I2RS agent allows access based on the I2RS client's scope ../data/rfc/rfc7921.txt- policy, this does not mean the access is required to arrive on a ../data/rfc/rfc7921.txt- particular transport connection or from a particular I2RS client by -- ../data/rfc/rfc2975.txt- D. Harrington ../data/rfc/rfc2975.txt- Cabletron Systems Inc. ../data/rfc/rfc2975.txt- October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Introduction to Accounting Management ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Status of this Memo ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc2975.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Abstract ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The field of Accounting Management is concerned with the collection ../data/rfc/rfc2975.txt- of resource consumption data for the purposes of capacity and trend ../data/rfc/rfc2975.txt- analysis, cost allocation, auditing, and billing. This document ../data/rfc/rfc2975.txt- describes each of these problems, and discusses the issues involved ../data/rfc/rfc2975.txt: in design of modern accounting systems. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since accounting applications do not have uniform security and ../data/rfc/rfc2975.txt- reliability requirements, it is not possible to devise a single ../data/rfc/rfc2975.txt: accounting protocol and set of security services that will meet all ../data/rfc/rfc2975.txt: needs. Thus the goal of accounting management is to provide a set of ../data/rfc/rfc2975.txt- tools that can be used to meet the requirements of each application. ../data/rfc/rfc2975.txt- This document describes the currently available tools as well as the ../data/rfc/rfc2975.txt: state of the art in accounting protocol design. A companion ../data/rfc/rfc2975.txt: document, RFC 2924, reviews the state of the art in accounting ../data/rfc/rfc2975.txt- attributes and record formats. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 1] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Table of Contents ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- 1. Introduction 2 ../data/rfc/rfc2975.txt- 1.1 Requirements language 3 ../data/rfc/rfc2975.txt- 1.2 Terminology 3 ../data/rfc/rfc2975.txt: 1.3 Accounting management architecture 5 ../data/rfc/rfc2975.txt: 1.4 Accounting management objectives 7 ../data/rfc/rfc2975.txt: 1.5 Intra-domain and inter-domain accounting 10 ../data/rfc/rfc2975.txt: 1.6 Accounting record production 11 ../data/rfc/rfc2975.txt- 1.7 Requirements summary 13 ../data/rfc/rfc2975.txt- 2. Scaling and reliability 14 ../data/rfc/rfc2975.txt- 2.1 Fault resilience 14 ../data/rfc/rfc2975.txt- 2.2 Resource consumption 23 ../data/rfc/rfc2975.txt- 2.3 Data collection models 26 ../data/rfc/rfc2975.txt: 3. Review of Accounting Protocols 32 ../data/rfc/rfc2975.txt- 3.1 RADIUS 32 ../data/rfc/rfc2975.txt- 3.2 TACACS+ 33 ../data/rfc/rfc2975.txt- 3.3 SNMP 33 ../data/rfc/rfc2975.txt: 4. Review of Accounting Data Transfer 43 ../data/rfc/rfc2975.txt- 4.1 SMTP 44 ../data/rfc/rfc2975.txt- 4.2 Other protocols 44 ../data/rfc/rfc2975.txt- 5. Summary 45 ../data/rfc/rfc2975.txt- 6. Security Considerations 48 ../data/rfc/rfc2975.txt- 7. Acknowledgments 48 -- ../data/rfc/rfc2975.txt- 10. Intellectual Property Statement 53 ../data/rfc/rfc2975.txt- 11. Full Copyright Statement 54 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1. Introduction ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The field of Accounting Management is concerned with the collection ../data/rfc/rfc2975.txt- of resource consumption data for the purposes of capacity and trend ../data/rfc/rfc2975.txt- analysis, cost allocation, auditing, and billing. This document ../data/rfc/rfc2975.txt- describes each of these problems, and discusses the issues involved ../data/rfc/rfc2975.txt: in design of modern accounting systems. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since accounting applications do not have uniform security and ../data/rfc/rfc2975.txt- reliability requirements, it is not possible to devise a single ../data/rfc/rfc2975.txt: accounting protocol and set of security services that will meet all ../data/rfc/rfc2975.txt: needs. Thus the goal of accounting management is to provide a set of ../data/rfc/rfc2975.txt- tools that can be used to meet the requirements of each application. ../data/rfc/rfc2975.txt- This document describes the currently available tools as well as the ../data/rfc/rfc2975.txt: state of the art in accounting protocol design. A companion ../data/rfc/rfc2975.txt: document, RFC 2924, reviews the state of the art in accounting ../data/rfc/rfc2975.txt- attributes and record formats. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 2] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.1. Requirements language ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In this document, the key words "MAY", "MUST, "MUST NOT", "optional", -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.2. Terminology ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- This document frequently uses the following terms: ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting ../data/rfc/rfc2975.txt- The collection of resource consumption data for the ../data/rfc/rfc2975.txt- purposes of capacity and trend analysis, cost allocation, ../data/rfc/rfc2975.txt: auditing, and billing. Accounting management requires that ../data/rfc/rfc2975.txt- resource consumption be measured, rated, assigned, and ../data/rfc/rfc2975.txt- communicated between appropriate parties. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Archival accounting ../data/rfc/rfc2975.txt: In archival accounting, the goal is to collect all ../data/rfc/rfc2975.txt: accounting data, to reconstruct missing entries as best as ../data/rfc/rfc2975.txt- possible in the event of data loss, and to archive data for ../data/rfc/rfc2975.txt- a mandated time period. It is "usual and customary" for ../data/rfc/rfc2975.txt- these systems to be engineered to be very robust against ../data/rfc/rfc2975.txt: accounting data loss. This may include provisions for ../data/rfc/rfc2975.txt- transport layer as well as application layer ../data/rfc/rfc2975.txt- acknowledgments, use of non-volatile storage, interim ../data/rfc/rfc2975.txt: accounting capabilities (stored or transmitted over the ../data/rfc/rfc2975.txt- wire), etc. Legal or financial requirements frequently ../data/rfc/rfc2975.txt: mandate archival accounting practices, and may often ../data/rfc/rfc2975.txt- dictate that data be kept confidential, regardless of ../data/rfc/rfc2975.txt- whether it is to be used for billing purposes or not. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Rating The act of determining the price to be charged for use of a ../data/rfc/rfc2975.txt- resource. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 3] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- the recommended process. Accomplishing this may require ../data/rfc/rfc2975.txt- security services such as authentication and integrity ../data/rfc/rfc2975.txt- protection. -- ../data/rfc/rfc2975.txt- the objective is to determine the amount to be charged for ../data/rfc/rfc2975.txt- use of a resource. In cost allocation, the cost per unit ../data/rfc/rfc2975.txt- of resource may need to be determined; in rating, this is ../data/rfc/rfc2975.txt- typically a given. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Interim accounting ../data/rfc/rfc2975.txt: Interim accounting provides a snapshot of usage during a ../data/rfc/rfc2975.txt- user's session. This may be useful in the event of a ../data/rfc/rfc2975.txt- device reboot or other network problem that prevents the ../data/rfc/rfc2975.txt- reception or generation of a session summary packet or ../data/rfc/rfc2975.txt: session record. Interim accounting records can always be ../data/rfc/rfc2975.txt- summarized without the loss of information. Note that ../data/rfc/rfc2975.txt: interim accounting records may be stored internally on the ../data/rfc/rfc2975.txt- device (such as in non-volatile storage) so as to survive a ../data/rfc/rfc2975.txt- reboot and thus may not always be transmitted over the ../data/rfc/rfc2975.txt- wire. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Session record ../data/rfc/rfc2975.txt- A session record represents a summary of the resource ../data/rfc/rfc2975.txt: consumption of a user over the entire session. Accounting ../data/rfc/rfc2975.txt- gateways creating the session record may do so by ../data/rfc/rfc2975.txt: processing interim accounting events or accounting events ../data/rfc/rfc2975.txt- from several devices serving the same user. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting Protocol ../data/rfc/rfc2975.txt: A protocol used to convey data for accounting purposes. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Intra-domain accounting ../data/rfc/rfc2975.txt: Intra-domain accounting involves the collection of ../data/rfc/rfc2975.txt- information on resource usage within an administrative ../data/rfc/rfc2975.txt- domain, for use within that domain. In intra-domain ../data/rfc/rfc2975.txt: accounting, accounting packets and session records ../data/rfc/rfc2975.txt- typically do not cross administrative boundaries. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Inter-domain accounting ../data/rfc/rfc2975.txt: Inter-domain accounting involves the collection of ../data/rfc/rfc2975.txt- information on resource usage within an administrative ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 4] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- domain, for use within another administrative domain. In ../data/rfc/rfc2975.txt: inter-domain accounting, accounting packets and session ../data/rfc/rfc2975.txt- records will typically cross administrative boundaries. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Real-time accounting ../data/rfc/rfc2975.txt: Real-time accounting involves the processing of information ../data/rfc/rfc2975.txt- on resource usage within a defined time window. Time ../data/rfc/rfc2975.txt- constraints are typically imposed in order to limit ../data/rfc/rfc2975.txt- financial risk. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting server ../data/rfc/rfc2975.txt: The accounting server receives accounting data from devices ../data/rfc/rfc2975.txt: and translates it into session records. The accounting ../data/rfc/rfc2975.txt- server may also take responsibility for the routing of ../data/rfc/rfc2975.txt- session records to interested parties. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:1.3. Accounting management architecture ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The accounting management architecture involves interactions between ../data/rfc/rfc2975.txt: network devices, accounting servers, and billing servers. The ../data/rfc/rfc2975.txt- network device collects resource consumption data in the form of ../data/rfc/rfc2975.txt: accounting metrics. This information is then transferred to an ../data/rfc/rfc2975.txt: accounting server. Typically this is accomplished via an accounting ../data/rfc/rfc2975.txt- protocol, although it is also possible for devices to generate their ../data/rfc/rfc2975.txt- own session records. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The accounting server then processes the accounting data received ../data/rfc/rfc2975.txt- from the network device. This processing may include summarization ../data/rfc/rfc2975.txt: of interim accounting information, elimination of duplicate data, or ../data/rfc/rfc2975.txt- generation of session records. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The processed accounting data is then submitted to a billing server, ../data/rfc/rfc2975.txt- which typically handles rating and invoice generation, but may also ../data/rfc/rfc2975.txt- carry out auditing, cost allocation, trend analysis or capacity ../data/rfc/rfc2975.txt- planning functions. Session records may be batched and compressed by ../data/rfc/rfc2975.txt: the accounting server prior to submission to the billing server in ../data/rfc/rfc2975.txt: order to reduce the volume of accounting data and the bandwidth ../data/rfc/rfc2975.txt- required to accomplish the transfer. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: One of the functions of the accounting server is to distinguish ../data/rfc/rfc2975.txt: between inter and intra-domain accounting events and to route them ../data/rfc/rfc2975.txt- appropriately. For session records containing a Network Access ../data/rfc/rfc2975.txt- Identifier (NAI), described in [8], the distinction can be made by ../data/rfc/rfc2975.txt- examining the domain portion of the NAI. If the domain portion is ../data/rfc/rfc2975.txt- absent or corresponds to the local domain, then the session record is ../data/rfc/rfc2975.txt: treated as an intra-domain accounting event. Otherwise, it is ../data/rfc/rfc2975.txt: treated as an inter-domain accounting event. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 5] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Intra-domain accounting events are typically routed to the local ../data/rfc/rfc2975.txt: billing server, while inter-domain accounting events will be routed ../data/rfc/rfc2975.txt: to accounting servers operating within other administrative domains. ../data/rfc/rfc2975.txt- While it is not required that session record formats used in inter ../data/rfc/rfc2975.txt: and intra-domain accounting be the same, this is desirable, since it ../data/rfc/rfc2975.txt- eliminates translations that would otherwise be required. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Where a proxy forwarder is employed, domain-based access controls may ../data/rfc/rfc2975.txt- be employed by the proxy forwarder, rather than by the devices ../data/rfc/rfc2975.txt: themselves. The network device will typically speak an accounting ../data/rfc/rfc2975.txt- protocol to the proxy forwarder, which may then either convert the ../data/rfc/rfc2975.txt: accounting packets to session records, or forward the accounting ../data/rfc/rfc2975.txt- packets to another domain. In either case, domain separation is ../data/rfc/rfc2975.txt- typically achieved by having the proxy forwarder sort the session ../data/rfc/rfc2975.txt: records or accounting messages by destination. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Where the accounting proxy is not trusted, it may be difficult to ../data/rfc/rfc2975.txt- verify that the proxy is issuing correct session records based on the ../data/rfc/rfc2975.txt: accounting messages it receives, since the original accounting ../data/rfc/rfc2975.txt- messages typically are not forwarded along with the session records. ../data/rfc/rfc2975.txt- Therefore where trust is an issue, the proxy typically forwards the ../data/rfc/rfc2975.txt: accounting packets themselves. Assuming that the accounting protocol ../data/rfc/rfc2975.txt- supports data object security, this allows the end-points to verify ../data/rfc/rfc2975.txt- that the proxy has not modified the data in transit or snooped on the ../data/rfc/rfc2975.txt- packet contents. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 6] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The diagram below illustrates the accounting management architecture: ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +------------+ ../data/rfc/rfc2975.txt- | | ../data/rfc/rfc2975.txt- | Network | ../data/rfc/rfc2975.txt- | Device | ../data/rfc/rfc2975.txt- | | ../data/rfc/rfc2975.txt- +------------+ ../data/rfc/rfc2975.txt- | ../data/rfc/rfc2975.txt: Accounting | ../data/rfc/rfc2975.txt- Protocol | ../data/rfc/rfc2975.txt- | ../data/rfc/rfc2975.txt- V ../data/rfc/rfc2975.txt- +------------+ +------------+ ../data/rfc/rfc2975.txt- | | | | ../data/rfc/rfc2975.txt- | Org B | Inter-domain session records | Org A | ../data/rfc/rfc2975.txt- | Acctg. |<----------------------------->| Acctg. | ../data/rfc/rfc2975.txt: |Proxy/Server| or accounting protocol | Server | ../data/rfc/rfc2975.txt- | | | | ../data/rfc/rfc2975.txt- +------------+ +------------+ ../data/rfc/rfc2975.txt- | | ../data/rfc/rfc2975.txt- | | ../data/rfc/rfc2975.txt- Transfer | Intra-domain | -- ../data/rfc/rfc2975.txt- | Billing | | Billing | ../data/rfc/rfc2975.txt- | Server | | Server | ../data/rfc/rfc2975.txt- | | | | ../data/rfc/rfc2975.txt- +------------+ +------------+ ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:1.4. Accounting management objectives ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting Management involves the collection of resource consumption ../data/rfc/rfc2975.txt- data for the purposes of capacity and trend analysis, cost ../data/rfc/rfc2975.txt- allocation, auditing, billing. Each of these tasks has different ../data/rfc/rfc2975.txt- requirements. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.1. Trend analysis and capacity planning -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 7] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- requirements while still providing the forecast with the desired ../data/rfc/rfc2975.txt- statistical accuracy, it may be possible to tolerate high packet loss ../data/rfc/rfc2975.txt- as long as bias is not introduced. -- ../data/rfc/rfc2975.txt- inter-domain applications confidentiality may be desirable to guard ../data/rfc/rfc2975.txt- against snooping by third parties. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.2. Billing ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: When accounting data is used for billing purposes, the requirements ../data/rfc/rfc2975.txt- depend on whether the billing process is usage-sensitive or not. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.2.1. Non-usage sensitive billing ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Since by definition, non-usage-sensitive billing does not require ../data/rfc/rfc2975.txt: usage information, in theory all accounting data can be lost without ../data/rfc/rfc2975.txt- affecting the billing process. Of course this would also affect ../data/rfc/rfc2975.txt- other tasks such as trend analysis or auditing, so that such ../data/rfc/rfc2975.txt- wholesale data loss would still be unacceptable. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.2.2. Usage-sensitive billing ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Since usage-sensitive billing processes depend on usage information, ../data/rfc/rfc2975.txt- packet loss may translate directly to revenue loss. As a result, the ../data/rfc/rfc2975.txt- billing process may need to conform to financial reporting and legal ../data/rfc/rfc2975.txt: requirements, and therefore an archival accounting approach may be ../data/rfc/rfc2975.txt- needed. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Usage-sensitive systems may also require low processing delay. Today ../data/rfc/rfc2975.txt- credit risk is commonly managed by computerized fraud detection ../data/rfc/rfc2975.txt- systems that are designed to detect unusual activity. While ../data/rfc/rfc2975.txt- efficiency concerns might otherwise dictate batched transmission of ../data/rfc/rfc2975.txt: accounting data, where there is a risk of fraud, financial exposure ../data/rfc/rfc2975.txt- increases with processing delay. Thus it may be advisable to ../data/rfc/rfc2975.txt- transmit each event individually to minimize batch size, or even to ../data/rfc/rfc2975.txt- utilize quality of service techniques to minimize queuing delays. In ../data/rfc/rfc2975.txt- addition, it may be necessary for authorization to be dependent on ../data/rfc/rfc2975.txt- ability to pay. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 8] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Whether these techniques will be useful varies by application since ../data/rfc/rfc2975.txt- the degree of financial exposure is application-dependent. For ../data/rfc/rfc2975.txt- dial-up Internet access from a local provider, charges are typically -- ../data/rfc/rfc2975.txt- ability to pay. In situations where valuable resources can be ../data/rfc/rfc2975.txt- reserved, or where charges can be high, very large bills may be rung ../data/rfc/rfc2975.txt- up quickly, and processing may need to be completed within a defined ../data/rfc/rfc2975.txt- time window in order to limit exposure. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since in usage-sensitive systems, accounting data translates into ../data/rfc/rfc2975.txt- revenue, the security and reliability requirements are greater. Due ../data/rfc/rfc2975.txt- to financial and legal requirements such systems need to be able to ../data/rfc/rfc2975.txt- survive an audit. Thus security services such as authentication, ../data/rfc/rfc2975.txt- integrity and replay protection are frequently required and ../data/rfc/rfc2975.txt- confidentiality and data object integrity may also be desirable. ../data/rfc/rfc2975.txt- Application-layer acknowledgments are also often required so as to ../data/rfc/rfc2975.txt: guard against accounting server failures. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.3. Auditing ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- With enterprise networking expenditures on the rise, interest in ../data/rfc/rfc2975.txt- auditing is increasing. Auditing, which is the act of verifying the ../data/rfc/rfc2975.txt: correctness of a procedure, commonly relies on accounting data. ../data/rfc/rfc2975.txt- Auditing tasks include verifying the correctness of an invoice ../data/rfc/rfc2975.txt- submitted by a service provider, or verifying conformance to usage ../data/rfc/rfc2975.txt- policy, service level agreements, or security guidelines. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- To permit a credible audit, the auditing data collection process must ../data/rfc/rfc2975.txt: be at least as reliable as the accounting process being used by the ../data/rfc/rfc2975.txt- entity that is being audited. Similarly, security policies for the ../data/rfc/rfc2975.txt- audit should be at least as stringent as those used in preparation of ../data/rfc/rfc2975.txt- the original invoice. Due to financial and legal requirements, ../data/rfc/rfc2975.txt: archival accounting practices are frequently required in this ../data/rfc/rfc2975.txt- application. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Where auditing procedures are used to verify conformance to usage or ../data/rfc/rfc2975.txt- security policies, security services may be desired. This typically ../data/rfc/rfc2975.txt- will include authentication, integrity and replay protection as well -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 9] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.4.4. Cost allocation ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The application of cost allocation and billback methods by enterprise -- ../data/rfc/rfc2975.txt- partners in a venture or to allocation of costs between departments ../data/rfc/rfc2975.txt- in a single firm, cost allocation models often have profound ../data/rfc/rfc2975.txt- behavioral and financial impacts. As a result, systems developed for ../data/rfc/rfc2975.txt- this purposes are typically as concerned with reliable data ../data/rfc/rfc2975.txt- collection and security as are billing applications. Due to ../data/rfc/rfc2975.txt: financial and legal requirements, archival accounting practices are ../data/rfc/rfc2975.txt- frequently required in this application. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:1.5. Intra-domain and inter-domain accounting ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Much of the initial work on accounting management has focused on ../data/rfc/rfc2975.txt: intra-domain accounting applications. However, with the increasing ../data/rfc/rfc2975.txt- deployment of services such as dial-up roaming, Internet fax, Voice ../data/rfc/rfc2975.txt- and Video over IP and QoS, applications requiring inter-domain ../data/rfc/rfc2975.txt: accounting are becoming increasingly common. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Inter-domain accounting differs from intra-domain accounting in ../data/rfc/rfc2975.txt: several important ways. Intra-domain accounting involves the ../data/rfc/rfc2975.txt- collection of information on resource consumption within an ../data/rfc/rfc2975.txt- administrative domain, for use within that domain. In intra-domain ../data/rfc/rfc2975.txt: accounting, accounting packets and session records typically do not ../data/rfc/rfc2975.txt- cross administrative boundaries. As a result, intra-domain ../data/rfc/rfc2975.txt: accounting applications typically experience low packet loss and ../data/rfc/rfc2975.txt- involve transfer of data between trusted entities. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In contrast, inter-domain accounting involves the collection of ../data/rfc/rfc2975.txt- information on resource consumption within an administrative domain, ../data/rfc/rfc2975.txt- for use within another administrative domain. In inter-domain ../data/rfc/rfc2975.txt: accounting, accounting packets and session records will typically ../data/rfc/rfc2975.txt- cross administrative boundaries. As a result, inter-domain ../data/rfc/rfc2975.txt: accounting applications may experience substantial packet loss. In ../data/rfc/rfc2975.txt- addition, the entities involved in the transfers cannot be assumed to ../data/rfc/rfc2975.txt- trust each other. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 10] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since inter-domain accounting applications involve transfers of ../data/rfc/rfc2975.txt: accounting data between domains, additional security measures may be ../data/rfc/rfc2975.txt- desirable. In addition to authentication, replay and integrity ../data/rfc/rfc2975.txt- protection, it may be desirable to deploy security services such as ../data/rfc/rfc2975.txt- confidentiality and data object integrity. In inter-domain ../data/rfc/rfc2975.txt: accounting each involved party also typically requires a copy of each ../data/rfc/rfc2975.txt: accounting event for invoice generation and auditing. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:1.6. Accounting record production ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Typically, a single accounting record is produced per session, or in ../data/rfc/rfc2975.txt- some cases, a set of interim records which can be summarized in a ../data/rfc/rfc2975.txt- single record for billing purposes. However, to support deployment ../data/rfc/rfc2975.txt- of services such as wireless access or complex billing regimes, a ../data/rfc/rfc2975.txt- more sophisticated approach is required. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: It is necessary to generate several accounting records from a single ../data/rfc/rfc2975.txt- session when pricing changes during a session. For instance, the ../data/rfc/rfc2975.txt- price of a service can be higher during peak hours than off-peak. ../data/rfc/rfc2975.txt- For a session continuing from one tariff period to another, it ../data/rfc/rfc2975.txt- becomes necessary for a device to report "packets sent" during both ../data/rfc/rfc2975.txt- periods. -- ../data/rfc/rfc2975.txt- while still being connected in the same session. If roaming causes a ../data/rfc/rfc2975.txt- change in the tariffs, it is necessary to account for resource ../data/rfc/rfc2975.txt- consumed in the first and second areas. Another example is where ../data/rfc/rfc2975.txt- modifications are allowed to an ongoing session. For example, it is ../data/rfc/rfc2975.txt- possible that a session could be re-authorized with improved QoS. ../data/rfc/rfc2975.txt: This would require production of accounting records at both QoS ../data/rfc/rfc2975.txt- levels. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- These examples could be addressed by using vectors or multi- ../data/rfc/rfc2975.txt- dimensional arrays to represent resource consumption within a single ../data/rfc/rfc2975.txt- session record. For example, the vector or array could describe the ../data/rfc/rfc2975.txt- resource consumption for each combination of factors, e.g. one data ../data/rfc/rfc2975.txt- item could be the number of packets during peak hour in the area of ../data/rfc/rfc2975.txt- the home operator. However, such an approach seems complicated and ../data/rfc/rfc2975.txt- inflexible and as a result, most current systems produce a set of ../data/rfc/rfc2975.txt- records from one session. A session identifier needs to be present ../data/rfc/rfc2975.txt: in the records to permit accounting systems to tie the records ../data/rfc/rfc2975.txt- together. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In most cases, the network device will determine when multiple ../data/rfc/rfc2975.txt- session records are needed, as the local device is aware of factors ../data/rfc/rfc2975.txt- affecting local tariffs, such as QoS changes and roaming. However, -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 11] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: control the generation of accounting records. This is of importance ../data/rfc/rfc2975.txt: in inter-domain accounting or when network devices do not have tariff ../data/rfc/rfc2975.txt: information. The centralized control of accounting record production ../data/rfc/rfc2975.txt- can be realized, for instance, by having authorization servers ../data/rfc/rfc2975.txt- require re-authorization at certain times and requiring the ../data/rfc/rfc2975.txt: production of accounting records upon each re-authorization. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In conclusion, in some cases it is necessary to produce multiple ../data/rfc/rfc2975.txt: accounting records from a single session. It must be possible to do ../data/rfc/rfc2975.txt- this without requiring the user to start a new session or to re- ../data/rfc/rfc2975.txt- authenticate. The production of multiple records can be controlled ../data/rfc/rfc2975.txt- either by the network device or by the AAA server. The requirements ../data/rfc/rfc2975.txt- for timeliness, security and reliability in multiple record sessions ../data/rfc/rfc2975.txt- are the same as for single-record sessions. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 12] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-1.7. Requirements summary ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2975.txt- | Billing | replay protection | replay protection | ../data/rfc/rfc2975.txt- | | [confidentiality] | confidentiality | ../data/rfc/rfc2975.txt- | | | [data object sec.]| ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | Archival | Archival | ../data/rfc/rfc2975.txt: | Usage | accounting | accounting | ../data/rfc/rfc2975.txt- | Sensitive | Integrity, | Integrity, | ../data/rfc/rfc2975.txt- | Billing, | authentication, | authentication, | ../data/rfc/rfc2975.txt- | Cost | replay protection | replay prot. | ../data/rfc/rfc2975.txt- | Allocation & | [confidentiality] | confidentiality | ../data/rfc/rfc2975.txt- | Auditing | [Bounds on | [data object sec.]| ../data/rfc/rfc2975.txt- | | processing delay] | [Bounds on | ../data/rfc/rfc2975.txt- | | | processing delay] | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | Archival | Archival | ../data/rfc/rfc2975.txt: | Time | accounting | accounting | ../data/rfc/rfc2975.txt- | Sensitive | Integrity, | Integrity, | ../data/rfc/rfc2975.txt- | Billing, | authentication, | authentication, | ../data/rfc/rfc2975.txt- | fraud | replay protection | replay prot. | ../data/rfc/rfc2975.txt- | detection, | [confidentiality] | confidentiality | ../data/rfc/rfc2975.txt- | roaming | | [Data object | -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 13] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2. Scaling and reliability ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- With the continuing growth of the Internet, it is important that ../data/rfc/rfc2975.txt: accounting management systems be scalable and reliable. This section ../data/rfc/rfc2975.txt: discusses the resources consumed by accounting management systems as ../data/rfc/rfc2975.txt- well as the scalability and reliability properties exhibited by ../data/rfc/rfc2975.txt- various data collection and transport models. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1. Fault resilience ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- As noted earlier, in applications such as usage-sensitive billing, ../data/rfc/rfc2975.txt: cost allocation and auditing, an archival approach to accounting is ../data/rfc/rfc2975.txt- frequently mandated, due to financial and legal requirements. Since ../data/rfc/rfc2975.txt: in such situations loss of accounting data can translate to revenue ../data/rfc/rfc2975.txt- loss, there is incentive to engineer a high degree of fault ../data/rfc/rfc2975.txt- resilience. Faults which may be encountered include: ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Packet loss ../data/rfc/rfc2975.txt: Accounting server failures ../data/rfc/rfc2975.txt- Network failures ../data/rfc/rfc2975.txt- Device reboots ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: To date, much of the debate on accounting reliability has focused on ../data/rfc/rfc2975.txt- resilience against packet loss and the differences between UDP, SCTP ../data/rfc/rfc2975.txt- and TCP-based transport. However, it should be understood that ../data/rfc/rfc2975.txt- resilience against packet loss is only one aspect of meeting ../data/rfc/rfc2975.txt: archival accounting requirements. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- As noted in [18], "once the cable is cut you don't need more ../data/rfc/rfc2975.txt- retransmissions, you need a *lot* more voltage." Thus, the choice of ../data/rfc/rfc2975.txt- transport has no impact on resilience against faults such as network ../data/rfc/rfc2975.txt: partition, accounting server failures or device reboots. What does ../data/rfc/rfc2975.txt- provide resilience against these faults is non-volatile storage. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The importance of non-volatile storage in design of reliable ../data/rfc/rfc2975.txt: accounting systems cannot be over-emphasized. Without non-volatile ../data/rfc/rfc2975.txt- storage, event-driven systems will lose data once the transmission ../data/rfc/rfc2975.txt- timeout has been exceeded, and batching designs will experience data ../data/rfc/rfc2975.txt: loss once the internal memory used for accounting data storage has ../data/rfc/rfc2975.txt- been exceeded. Via use of non-volatile storage, and internally ../data/rfc/rfc2975.txt- stored interim records, most of these data losses can be avoided. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- It may even be argued that non-volatile storage is more important to ../data/rfc/rfc2975.txt: accounting reliability than network connectivity, since for many ../data/rfc/rfc2975.txt: years reliable accounting systems were implemented based solely on ../data/rfc/rfc2975.txt- physical storage, without any network connectivity. For example, ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 14] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- phone usage data used to be stored on paper, film, or magnetic media ../data/rfc/rfc2975.txt- and carried from the place of collection to a central location for ../data/rfc/rfc2975.txt- bill processing. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:2.1.1. Interim accounting ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Interim accounting provides protection against loss of session ../data/rfc/rfc2975.txt- summary data by providing checkpoint information that can be used to ../data/rfc/rfc2975.txt- reconstruct the session record in the event that the session summary ../data/rfc/rfc2975.txt- information is lost. This technique may be applied to any data ../data/rfc/rfc2975.txt- collection model (i.e. event-driven or polling) and is supported in ../data/rfc/rfc2975.txt- both RADIUS [25] and in TACACS+. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: While interim accounting can provide resilience against packet loss, ../data/rfc/rfc2975.txt- server failures, short-duration network failures, or device reboot, ../data/rfc/rfc2975.txt: its applicability is limited. Transmission of interim accounting ../data/rfc/rfc2975.txt- data over the wire should not be thought of as a mainstream ../data/rfc/rfc2975.txt- reliability improvement technique since it increases use of network ../data/rfc/rfc2975.txt- bandwidth in normal operation, while providing benefits only in the ../data/rfc/rfc2975.txt- event of a fault. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Since most packet loss on the Internet is due to congestion, sending ../data/rfc/rfc2975.txt: interim accounting data over the wire can make the problem worse by ../data/rfc/rfc2975.txt: increasing bandwidth usage. Therefore on-the-wire interim accounting ../data/rfc/rfc2975.txt: is best restricted to high-value accounting data such as information ../data/rfc/rfc2975.txt- on long-lived sessions. To protect against loss of data on such ../data/rfc/rfc2975.txt- sessions, the interim reporting interval is typically set several ../data/rfc/rfc2975.txt- standard deviations larger than the average session duration. This ../data/rfc/rfc2975.txt- ensures that most sessions will not result in generation of interim ../data/rfc/rfc2975.txt: accounting events and the additional bandwidth consumed by interim ../data/rfc/rfc2975.txt: accounting will be limited. However, as the interim accounting ../data/rfc/rfc2975.txt- interval decreases toward the average session time, the additional ../data/rfc/rfc2975.txt: bandwidth consumed by interim accounting increases markedly, and as a ../data/rfc/rfc2975.txt- result, the interval must be set with caution. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Where non-volatile storage is unavailable, interim accounting can ../data/rfc/rfc2975.txt- also result in excessive consumption of memory that could be better ../data/rfc/rfc2975.txt- allocated to storage of session data. As a result, implementors ../data/rfc/rfc2975.txt: should be careful to ensure that new interim accounting data ../data/rfc/rfc2975.txt- overwrites previous data rather than accumulating additional interim ../data/rfc/rfc2975.txt- records in memory, thereby worsening the buffer exhaustion problem. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Given the increasing popularity of non-volatile storage for use in ../data/rfc/rfc2975.txt- consumer devices such as digital cameras, such devices are rapidly -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 15] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Where non-volatile storage is available, this can be used to store ../data/rfc/rfc2975.txt: interim accounting data. Stored interim events are then replaced by ../data/rfc/rfc2975.txt- updated interim events or by session data when the session completes. ../data/rfc/rfc2975.txt- The session data can itself be erased once the data has been ../data/rfc/rfc2975.txt- transmitted and acknowledged at the application layer. This approach ../data/rfc/rfc2975.txt- avoids interim data being transmitted over the wire except in the ../data/rfc/rfc2975.txt- case of a device reboot. When a device reboots, internally stored ../data/rfc/rfc2975.txt: interim records are transferred to the accounting server. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.2. Multiple record sessions ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Generation of multiple accounting records within a session can ../data/rfc/rfc2975.txt- introduce scalability problems that cannot be controlled using the ../data/rfc/rfc2975.txt: techniques available in interim accounting. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- For example, in the case of interim records kept in non-volatile ../data/rfc/rfc2975.txt- storage, it is possible to overwrite previous interim records with ../data/rfc/rfc2975.txt- the most recent one or summarize them to a session record. Where ../data/rfc/rfc2975.txt- interim updates are sent over the wire, it is possible to control ../data/rfc/rfc2975.txt: bandwidth usage by adjusting the interim accounting interval. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- These measures are not applicable where multiple session records are ../data/rfc/rfc2975.txt- produced from a single session, since these records cannot be ../data/rfc/rfc2975.txt- summarized or overwritten without loss of information. As a result, ../data/rfc/rfc2975.txt- multiple record production can result in increased consumption of -- ../data/rfc/rfc2975.txt- implemented carelessly, create a sudden peak in the consumption of ../data/rfc/rfc2975.txt- memory and bandwidth as the records need to be stored and/or ../data/rfc/rfc2975.txt- transported. Rather than attempting to send all of the records at ../data/rfc/rfc2975.txt- once, it may be desirable to keep them in non-volatile storage and ../data/rfc/rfc2975.txt- send all of the related records together in a batch when the session ../data/rfc/rfc2975.txt: completes. It may also be desirable to shape the accounting traffic ../data/rfc/rfc2975.txt- flow so as to reduce the peak bandwidth consumption. This can be ../data/rfc/rfc2975.txt- accomplished by introduction of a randomized delay interval. If the ../data/rfc/rfc2975.txt: home domain can also control the generation of multiple accounting ../data/rfc/rfc2975.txt- records, the estimation of the worst-case processing requirements can ../data/rfc/rfc2975.txt- be very difficult. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.3. Packet loss ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: As packet loss is a fact of life on the Internet, accounting ../data/rfc/rfc2975.txt- protocols dealing with session data need to be resilient against ../data/rfc/rfc2975.txt- packet loss. This is particularly important in inter-domain ../data/rfc/rfc2975.txt: accounting, where packets often pass through Network Access Points ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 16] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- (NAPs) where packet loss may be substantial. Resilience against ../data/rfc/rfc2975.txt- packet loss can be accomplished via implementation of a retry ../data/rfc/rfc2975.txt- mechanism on top of UDP, or use of TCP [7] or SCTP [26]. On-the-wire ../data/rfc/rfc2975.txt: interim accounting provides only limited benefits in mitigating the ../data/rfc/rfc2975.txt- effects of packet loss. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: UDP-based transport is frequently used in accounting applications. ../data/rfc/rfc2975.txt: However, this is not appropriate in all cases. Where accounting data ../data/rfc/rfc2975.txt- will not fit within a single UDP packet without fragmentation, use of ../data/rfc/rfc2975.txt- TCP or SCTP transport may be preferred to use of multiple round-trips ../data/rfc/rfc2975.txt- in UDP. As noted in [47] and [49], this may be an issue in the ../data/rfc/rfc2975.txt- retrieval of large tables. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In addition, in cases where congestion is likely, such as in inter- ../data/rfc/rfc2975.txt: domain accounting, TCP or SCTP congestion control and round-trip time ../data/rfc/rfc2975.txt- estimation will be very useful, optimizing throughput. In ../data/rfc/rfc2975.txt- applications which require maintenance of session state, such as ../data/rfc/rfc2975.txt- simultaneous usage control, TCP and application-layer keep alive ../data/rfc/rfc2975.txt- packets or SCTP with its built-in heartbeat capabilities provide a ../data/rfc/rfc2975.txt- mechanism for keeping track of session state. -- ../data/rfc/rfc2975.txt- Data model ../data/rfc/rfc2975.txt- Retry behavior ../data/rfc/rfc2975.txt- Congestion control ../data/rfc/rfc2975.txt- Timeout behavior ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting reliability can be influenced by how the data is modeled. ../data/rfc/rfc2975.txt- For example, it is almost always preferable to use cumulative ../data/rfc/rfc2975.txt: variables rather than expressing accounting data in terms of a change ../data/rfc/rfc2975.txt- from a previous data item. With cumulative data, the current state ../data/rfc/rfc2975.txt- can be recovered by a successful retrieval, even after many packets ../data/rfc/rfc2975.txt- have been lost. However, if the data is transmitted as a change then ../data/rfc/rfc2975.txt- the state will not be recovered until the next cumulative update is ../data/rfc/rfc2975.txt- sent. Thus, such implementations are much more vulnerable to packet ../data/rfc/rfc2975.txt- loss, and should be avoided wherever possible. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In designing a UDP retry mechanism, it is important that the retry ../data/rfc/rfc2975.txt- timers relate to the round-trip time, so that retransmissions will ../data/rfc/rfc2975.txt- not typically occur within the period in which acknowledgments may be ../data/rfc/rfc2975.txt: expected to arrive. Accounting bandwidth may be significant in some ../data/rfc/rfc2975.txt- circumstances, so that the added traffic due to unnecessary ../data/rfc/rfc2975.txt- retransmissions may increase congestion levels. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 17] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Congestion control in accounting data transfer is a somewhat ../data/rfc/rfc2975.txt: controversial issue. Since accounting traffic is often considered ../data/rfc/rfc2975.txt- mission-critical, it has been argued that congestion control is not a ../data/rfc/rfc2975.txt- requirement; better to let other less-critical traffic back off in ../data/rfc/rfc2975.txt- response to congestion. Moreover, without non-volatile storage, ../data/rfc/rfc2975.txt: congestive back-off in accounting applications can result in data ../data/rfc/rfc2975.txt- loss due to buffer exhaustion. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: However, it can also be argued that in modern accounting ../data/rfc/rfc2975.txt- implementations, it is possible to implement congestion control while ../data/rfc/rfc2975.txt- improving throughput and maintaining high reliability. In ../data/rfc/rfc2975.txt- circumstances where there is sustained packet loss, there simply is ../data/rfc/rfc2975.txt- not sufficient capacity to maintain existing transmission rates. ../data/rfc/rfc2975.txt- Thus, aggregate throughput will actually improve if congestive back- ../data/rfc/rfc2975.txt- off is implemented. This is due to elimination of retransmissions ../data/rfc/rfc2975.txt- and the ability to utilize techniques such as RED to desynchronize ../data/rfc/rfc2975.txt- flows. In addition, with QoS mechanisms such as differentiated ../data/rfc/rfc2975.txt: services, it is possible to mark accounting packets for preferential ../data/rfc/rfc2975.txt- handling so as to provide for lower packet loss if desired. Thus ../data/rfc/rfc2975.txt- considerable leeway is available to the network administrator in ../data/rfc/rfc2975.txt: controlling the treatment of accounting packets and hard coding ../data/rfc/rfc2975.txt- inelastic behavior is unnecessary. Typically, systems implementing ../data/rfc/rfc2975.txt: non-volatile storage allow for backlogged accounting data to be ../data/rfc/rfc2975.txt- placed in non-volatile storage pending transmission, so that buffer ../data/rfc/rfc2975.txt- exhaustion resulting from congestive back-off need not be a concern. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since UDP is not really a transport protocol, UDP-based accounting ../data/rfc/rfc2975.txt- protocols such as [4] often do not prescribe timeout behavior. Thus ../data/rfc/rfc2975.txt- implementations may exhibit widely different behavior. For example, ../data/rfc/rfc2975.txt: one implementation may drop accounting data after three constant ../data/rfc/rfc2975.txt- duration retries to the same server, while another may implement ../data/rfc/rfc2975.txt- exponential back-off to a given server, then switch to another ../data/rfc/rfc2975.txt- server, up to a total timeout interval of twelve hours, while storing ../data/rfc/rfc2975.txt- the untransmitted data on non-volatile storage. The practical ../data/rfc/rfc2975.txt- difference between these approaches is substantial; the former ../data/rfc/rfc2975.txt: approach will not satisfy archival accounting requirements while the ../data/rfc/rfc2975.txt- latter may. More predictable behavior can be achieved via use of ../data/rfc/rfc2975.txt- SCTP or TCP transport. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:2.1.4. Accounting server failover ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In the event of a failure of the primary accounting server, it is ../data/rfc/rfc2975.txt- desirable for the device to failover to a secondary server. ../data/rfc/rfc2975.txt- Providing one or more secondary servers can remove much of the risk ../data/rfc/rfc2975.txt: of accounting server failure, and as a result use of secondary ../data/rfc/rfc2975.txt- servers has become commonplace. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 18] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- For protocols based on TCP, it is possible for the device to maintain ../data/rfc/rfc2975.txt: connections to both the primary and secondary accounting servers, ../data/rfc/rfc2975.txt- using the secondary connection after expiration of a timer on the ../data/rfc/rfc2975.txt- primary connection. Alternatively, it is possible to open a ../data/rfc/rfc2975.txt: connection to the secondary accounting server after a timeout or loss ../data/rfc/rfc2975.txt- of the primary connection, or on expiration of a timer. Thus, ../data/rfc/rfc2975.txt: accounting protocols based on TCP are capable of responding more ../data/rfc/rfc2975.txt- rapidly to connectivity failures than TCP timeouts would otherwise ../data/rfc/rfc2975.txt- allow, at the expense of an increased risk of duplicates. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- With SCTP, it is possible to control transport layer timeout ../data/rfc/rfc2975.txt: behavior, and therefore it is not necessary for the accounting ../data/rfc/rfc2975.txt- application to maintain its own timers. SCTP also enables ../data/rfc/rfc2975.txt- multiplexing of multiple connections within a single transport ../data/rfc/rfc2975.txt- connection, all maintaining the same congestion control state, ../data/rfc/rfc2975.txt- avoiding the "head of line blocking" issues that can occur with TCP. ../data/rfc/rfc2975.txt- However, since SCTP is not widely available, use of this transport -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- For protocols using UDP, transmission to the secondary server can ../data/rfc/rfc2975.txt- occur after a number of retries or timer expiration. For ../data/rfc/rfc2975.txt- compatibility with congestion avoidance, it is advisable to ../data/rfc/rfc2975.txt- incorporate techniques such as round-trip-time estimation, slow start ../data/rfc/rfc2975.txt: and congestive back-off. Thus the accounting protocol designer ../data/rfc/rfc2975.txt- utilizing UDP often is lead to re-inventing techniques already ../data/rfc/rfc2975.txt- existing in TCP and SCTP. As a result, the use of raw UDP transport ../data/rfc/rfc2975.txt: in accounting applications is not recommended. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- With any transport it is possible for the primary and secondary ../data/rfc/rfc2975.txt: accounting servers to receive duplicate packets, so support for ../data/rfc/rfc2975.txt: duplicate elimination is required. Since accounting server failures ../data/rfc/rfc2975.txt: can result in data accumulation on accounting clients, use of non- ../data/rfc/rfc2975.txt- volatile storage can ensure against data loss due to transmission ../data/rfc/rfc2975.txt: timeouts or buffer exhaustion. On-the-wire interim accounting ../data/rfc/rfc2975.txt- provides only limited benefits in mitigating the effects of ../data/rfc/rfc2975.txt: accounting server failures. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.5. Application layer acknowledgments ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: It is possible for the accounting server to experience partial ../data/rfc/rfc2975.txt- failures. For example, a failure in the database back end could ../data/rfc/rfc2975.txt: leave the accounting retrieval process or thread operable while the ../data/rfc/rfc2975.txt- process or thread responsible for storing the data is non-functional. ../data/rfc/rfc2975.txt: Similarly, it is possible for the accounting application to run out ../data/rfc/rfc2975.txt- of disk space, making it unable to continue storing incoming session ../data/rfc/rfc2975.txt- records. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 19] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In such cases it is desirable to distinguish between transport layer ../data/rfc/rfc2975.txt- acknowledgment and application layer acknowledgment. Even though ../data/rfc/rfc2975.txt- both acknowledgments may be sent within the same packet (such as a -- ../data/rfc/rfc2975.txt- layer to acknowledge receipt via transport layer acknowledgment, ../data/rfc/rfc2975.txt- without having delivered the data to the application. Similarly, the ../data/rfc/rfc2975.txt- application may not complete the tasks necessary to take ../data/rfc/rfc2975.txt- responsibility for the data. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: For example, an accounting server may receive data from the transport ../data/rfc/rfc2975.txt- layer but be incapable of storing it data due to a back end database ../data/rfc/rfc2975.txt- problem or disk fault. In this case it should not send an ../data/rfc/rfc2975.txt- application layer acknowledgment, even though a a transport layer ../data/rfc/rfc2975.txt- acknowledgment is appropriate. Rather, an application layer error ../data/rfc/rfc2975.txt- message should be sent indicating the source of the problem, such as -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 20] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.6. Network failures ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Network failures may result in partial or complete loss of ../data/rfc/rfc2975.txt: connectivity for the accounting client. In the event of partial ../data/rfc/rfc2975.txt- connectivity loss, it may not be possible to reach the primary ../data/rfc/rfc2975.txt: accounting server, in which case switch over to the secondary ../data/rfc/rfc2975.txt: accounting server is necessary. In the event of a network partition, ../data/rfc/rfc2975.txt: it may be necessary to store accounting events in device memory or ../data/rfc/rfc2975.txt- non-volatile storage until connectivity can be re-established. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: As with accounting server failures, on-the-wire interim accounting ../data/rfc/rfc2975.txt- provides only limited benefits in mitigating the effects of network ../data/rfc/rfc2975.txt- failures. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.7. Device reboots ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In the event of a device reboot, it is desirable to minimize the loss ../data/rfc/rfc2975.txt- of data on sessions in progress. Such losses may be significant even ../data/rfc/rfc2975.txt- if the devices themselves are very reliable, due to long-lived ../data/rfc/rfc2975.txt- sessions, which can comprise a significant fraction of total resource ../data/rfc/rfc2975.txt- consumption. To guard against loss of these high-value sessions, ../data/rfc/rfc2975.txt: interim accounting data is typically transmitted over the wire. When ../data/rfc/rfc2975.txt: interim accounting in-place is combined with non-volatile storage it ../data/rfc/rfc2975.txt- becomes possible to guard against data loss in much shorter sessions. ../data/rfc/rfc2975.txt: This is possible since interim accounting data need only be stored in ../data/rfc/rfc2975.txt- non-volatile memory until the session completes, at which time the ../data/rfc/rfc2975.txt- interim data may be replaced by the session record. As a result, ../data/rfc/rfc2975.txt: interim accounting data need never be sent over the wire, and it is ../data/rfc/rfc2975.txt- possible to decrease the interim interval so as to provide a very ../data/rfc/rfc2975.txt- high degree of protection against data loss. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:2.1.8. Accounting proxies ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In order to maintain high reliability, it is important that ../data/rfc/rfc2975.txt: accounting proxies pass through transport and application layer ../data/rfc/rfc2975.txt: acknowledgments and do not store and forward accounting packets. ../data/rfc/rfc2975.txt- This enables the end-systems to control re-transmission behavior and ../data/rfc/rfc2975.txt- utilize techniques such as non-volatile storage and secondary servers ../data/rfc/rfc2975.txt- to improve resilience. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting proxies sending a transport or application layer ACK to ../data/rfc/rfc2975.txt: the device without receiving one from the accounting server fool the ../data/rfc/rfc2975.txt: device into thinking that the accounting request had been accepted by ../data/rfc/rfc2975.txt: the accounting server when this is not the case. As a result, the ../data/rfc/rfc2975.txt: device can delete the accounting packet from non-volatile storage ../data/rfc/rfc2975.txt: before it has been accepted by the accounting server. The leaves the ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 21] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: accounting proxy responsible for delivering accounting packets. If ../data/rfc/rfc2975.txt: the accounting proxy involves moving parts (e.g. a disk drive) while ../data/rfc/rfc2975.txt- the devices do not, overall system reliability can be reduced. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Store and forward accounting proxies only add value in situations ../data/rfc/rfc2975.txt: where the accounting subsystem is unreliable. For example, where ../data/rfc/rfc2975.txt: devices do not implement non-volatile storage and the accounting ../data/rfc/rfc2975.txt- protocol lacks transport and application layer reliability, locating ../data/rfc/rfc2975.txt: the accounting proxy (with its stable storage) close to the device ../data/rfc/rfc2975.txt- can reduce the risk of data loss. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- However, such systems are inherently unreliable so that they are only ../data/rfc/rfc2975.txt- appropriate for use in capacity planning or non-usage sensitive ../data/rfc/rfc2975.txt: billing applications. If archival accounting reliability is desired, ../data/rfc/rfc2975.txt: it is necessary to engineer a reliable accounting system from the ../data/rfc/rfc2975.txt- start using the techniques described in this document, rather than ../data/rfc/rfc2975.txt- attempting to patch an inherently unreliable system by adding store ../data/rfc/rfc2975.txt: and forward accounting proxies. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 22] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.1.9. Fault resilience summary ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- | Packet | Retransmission based on RTT | ../data/rfc/rfc2975.txt- | loss | Congestion control | ../data/rfc/rfc2975.txt- | | Well-defined timeout behavior | ../data/rfc/rfc2975.txt- | | Duplicate elimination | ../data/rfc/rfc2975.txt: | | Interim accounting* | ../data/rfc/rfc2975.txt- | | Non-volatile storage | ../data/rfc/rfc2975.txt- | | Cumulative variables | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt: | Accounting | Primary-secondary servers | ../data/rfc/rfc2975.txt- | server & net | Duplicate elimination | ../data/rfc/rfc2975.txt: | failures | Interim accounting* | ../data/rfc/rfc2975.txt- | | Application layer ACK & error msgs. | ../data/rfc/rfc2975.txt- | | Non-volatile storage | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt: | Device | Interim accounting* | ../data/rfc/rfc2975.txt- | reboots | Non-volatile storage | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Key ../data/rfc/rfc2975.txt- * = limited usefulness without non-volatile storage ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Note: Accounting proxies are not a reliability ../data/rfc/rfc2975.txt- enhancement mechanism. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2. Resource consumption ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In the process of growing to meet the needs of providers and ../data/rfc/rfc2975.txt: customers, accounting management systems consume a variety of ../data/rfc/rfc2975.txt- resources, including: ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Network bandwidth ../data/rfc/rfc2975.txt- Memory ../data/rfc/rfc2975.txt- Non-volatile storage ../data/rfc/rfc2975.txt: State on the accounting management system ../data/rfc/rfc2975.txt- CPU on the management system and managed devices ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 23] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In order to understand the limits to scaling, we examine each of ../data/rfc/rfc2975.txt- these resources in turn. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2.1. Network bandwidth ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting management systems consume network bandwidth in ../data/rfc/rfc2975.txt: transferring accounting data. The network bandwidth consumed is ../data/rfc/rfc2975.txt- proportional to the amount of data transferred, as well as required ../data/rfc/rfc2975.txt: network overhead. Since accounting data for a given event may be 100 ../data/rfc/rfc2975.txt- octets or less, if each event is transferred individually, overhead ../data/rfc/rfc2975.txt- can represent a considerable proportion of total bandwidth ../data/rfc/rfc2975.txt- consumption. As a result, it is often desirable to transfer ../data/rfc/rfc2975.txt: accounting data in batches, enabling network overhead to be spread ../data/rfc/rfc2975.txt- over a larger payload, and enabling efficient use of compression. As ../data/rfc/rfc2975.txt: noted in [48], compression can be enabled in the accounting protocol, ../data/rfc/rfc2975.txt- or can be done at the IP layer as described in [5]. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2.2. Memory ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In accounting systems without non-volatile storage, accounting data ../data/rfc/rfc2975.txt- must be stored in volatile memory during the period between when it ../data/rfc/rfc2975.txt- is generated and when it is transferred. The resulting memory ../data/rfc/rfc2975.txt- consumption will depend on retry and retransmission algorithms. ../data/rfc/rfc2975.txt- Since systems designed for high reliability will typically wish to ../data/rfc/rfc2975.txt: retry for long periods, or may store interim accounting data, the ../data/rfc/rfc2975.txt- resulting memory consumption can be considerable. As a result, if ../data/rfc/rfc2975.txt- non-volatile storage is unavailable, it may be desirable to compress ../data/rfc/rfc2975.txt: accounting data awaiting transmission. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: As noted earlier, implementors of interim accounting should take care ../data/rfc/rfc2975.txt- to ensure against excessive memory usage by overwriting older interim ../data/rfc/rfc2975.txt: accounting data with newer data for the same session rather than ../data/rfc/rfc2975.txt- accumulating interim data in the buffer. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2.3. Non-volatile storage ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since accounting data stored in memory will typically be lost in the ../data/rfc/rfc2975.txt- event of a device reboot or a timeout, it may be desirable to provide ../data/rfc/rfc2975.txt: non-volatile storage for undelivered accounting data. With the costs ../data/rfc/rfc2975.txt- of non-volatile storage declining rapidly, network devices will be ../data/rfc/rfc2975.txt- increasingly capable of incorporating non-volatile storage support ../data/rfc/rfc2975.txt- over the next few years. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Non-volatile storage may be used to store interim or session records. ../data/rfc/rfc2975.txt: As with memory utilization, interim accounting overwrite is desirable ../data/rfc/rfc2975.txt- so as to prevent excessive storage consumption. Note that the use of ../data/rfc/rfc2975.txt- ASCII data representation enables use of highly efficient text ../data/rfc/rfc2975.txt- compression algorithms that can minimize storage requirements. Such ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 24] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- compression algorithms are only typically applied to session records ../data/rfc/rfc2975.txt- so as to enable implementation of interim data overwrite. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:2.2.4. State on the accounting management system ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In order to keep track of received accounting data, accounting ../data/rfc/rfc2975.txt- management systems may need to keep state on managed devices or ../data/rfc/rfc2975.txt- concurrent sessions. Since the number of devices is typically much ../data/rfc/rfc2975.txt- smaller than the number of concurrent sessions, it is desirable to ../data/rfc/rfc2975.txt- keep only per-device state if possible. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2.5. CPU requirements ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- CPU consumption of the managed and managing nodes will be ../data/rfc/rfc2975.txt: proportional to the complexity of the required accounting processing. ../data/rfc/rfc2975.txt- Operations such as ASN.1 encoding and decoding, ../data/rfc/rfc2975.txt- compression/decompression, and encryption/decryption can consume ../data/rfc/rfc2975.txt: considerable resources, both on accounting clients and servers. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: The effect of these operations on accounting system reliability ../data/rfc/rfc2975.txt- should not be under-estimated, particularly in the case of devices ../data/rfc/rfc2975.txt- with moderate CPU resources. In the event that devices are over- ../data/rfc/rfc2975.txt: taxed by accounting tasks, it is likely that overall device ../data/rfc/rfc2975.txt- reliability will suffer. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 25] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.2.6. Efficiency measures ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2975.txt- | Bandwidth | Compression | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- | Memory | Compression | ../data/rfc/rfc2975.txt: | | Interim accounting overwrite | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- | Non-volatile | Compression | ../data/rfc/rfc2975.txt: | Storage | Interim accounting overwrite | ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | ../data/rfc/rfc2975.txt- | System | Per-device state | ../data/rfc/rfc2975.txt- | state | | -- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3. Data collection models ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Several data collection models are currently in use today for the ../data/rfc/rfc2975.txt: purposes of accounting data collection. These include: ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Polling model ../data/rfc/rfc2975.txt- Event-driven model without batching ../data/rfc/rfc2975.txt- Event-driven model with batching ../data/rfc/rfc2975.txt- Event-driven polling model -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 26] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3.1. Polling model ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In the polling model, an accounting manager will poll devices for ../data/rfc/rfc2975.txt: accounting information at regular intervals. In order to ensure ../data/rfc/rfc2975.txt- against loss of data, the polling interval will need to be shorter ../data/rfc/rfc2975.txt: than the maximum time that accounting data can be stored on the ../data/rfc/rfc2975.txt- polled device. For devices without non-volatile stage, this is ../data/rfc/rfc2975.txt- typically determined by available memory; for devices with non- ../data/rfc/rfc2975.txt- volatile storage the maximum polling interval is determined by the ../data/rfc/rfc2975.txt- size of non-volatile storage. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The polling model results in an accumulation of data within ../data/rfc/rfc2975.txt- individual devices, and as a result, data is typically transferred to ../data/rfc/rfc2975.txt: the accounting manager in a batch, resulting in an efficient transfer ../data/rfc/rfc2975.txt: process. In terms of Accounting Manager state, polling systems scale ../data/rfc/rfc2975.txt- with the number of managed devices, and system bandwidth usage scales ../data/rfc/rfc2975.txt- with the amount of data transferred. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Without non-volatile storage, the polling model results in loss of ../data/rfc/rfc2975.txt: accounting data due to device reboots, but not due to packet loss or ../data/rfc/rfc2975.txt- network failures of sufficiently short duration to be handled within ../data/rfc/rfc2975.txt: available memory. This is because the Accounting Manager will ../data/rfc/rfc2975.txt- continue to poll until the data is received. In situations where ../data/rfc/rfc2975.txt: operational difficulties are encountered, the volume of accounting ../data/rfc/rfc2975.txt- data will frequently increase so as to make data loss more likely. ../data/rfc/rfc2975.txt- However, in this case the polling model will detect the problem since ../data/rfc/rfc2975.txt- attempts to reach the managed devices will fail. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The polling model scales poorly for implementation of shared use or ../data/rfc/rfc2975.txt- roaming services, including wireless data, Internet telephony, QoS ../data/rfc/rfc2975.txt- provisioning or Internet access. This is because in order to ../data/rfc/rfc2975.txt: retrieve accounting data for users within a given domain, the ../data/rfc/rfc2975.txt: Accounting Management station would need to periodically poll all ../data/rfc/rfc2975.txt- devices in all domains, most of which would not contain any relevant ../data/rfc/rfc2975.txt- data. There are also issues with processing delay, since use of a ../data/rfc/rfc2975.txt- polling interval also implies an average processing delay of half the ../data/rfc/rfc2975.txt: polling interval. This may be too high for accounting data that ../data/rfc/rfc2975.txt- requires low processing delay. Thus the event-driven polling or the ../data/rfc/rfc2975.txt- pure event-driven approach is more appropriate for usage sensitive ../data/rfc/rfc2975.txt- billing applications such as shared use or roaming implementations. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Per-device state is typical of polling-based network management ../data/rfc/rfc2975.txt: systems, which often also carry out accounting management functions, ../data/rfc/rfc2975.txt- since network management systems need to keep track of the state of ../data/rfc/rfc2975.txt- network devices for operational purposes. These systems offer ../data/rfc/rfc2975.txt- average processing delays equal to half the polling interval. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 27] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3.2. Event-driven model without batching ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In the event-driven model, a device will contact the accounting ../data/rfc/rfc2975.txt: server or manager when it is ready to transfer accounting data. Most ../data/rfc/rfc2975.txt: event-driven accounting systems, such as those based on RADIUS ../data/rfc/rfc2975.txt: accounting, described in [4], transfer only one accounting event per ../data/rfc/rfc2975.txt- packet, which is inefficient. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Without non-volatile storage, a pure event-driven model typically ../data/rfc/rfc2975.txt: stores accounting events that have not yet been delivered only until ../data/rfc/rfc2975.txt- the timeout interval expires. As a result this model has the ../data/rfc/rfc2975.txt- smallest memory requirements. Once the timeout interval has expired, ../data/rfc/rfc2975.txt: the accounting event is lost, even if the device has sufficient ../data/rfc/rfc2975.txt- buffer space to continue to store it. As a result, the event-driven ../data/rfc/rfc2975.txt: model is the least reliable, since accounting data loss will occur ../data/rfc/rfc2975.txt- due to device reboots, sustained packet loss, or network failures of ../data/rfc/rfc2975.txt- duration greater than the timeout interval. In event-driven ../data/rfc/rfc2975.txt: protocols without a "keep alive" message, accounting servers cannot ../data/rfc/rfc2975.txt- assume a device failure should no messages arrive for an extended ../data/rfc/rfc2975.txt: period. Thus, event-driven accounting systems are typically not ../data/rfc/rfc2975.txt- useful in monitoring of device health. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The event-driven model is frequently used in shared use networks and ../data/rfc/rfc2975.txt- roaming, since this model sends data to the recipient domains without ../data/rfc/rfc2975.txt- requiring them to poll a large number of devices, most of which have ../data/rfc/rfc2975.txt- no relevant data. Since the event-driven model typically does not ../data/rfc/rfc2975.txt: support batching, it permits accounting records to be sent with low ../data/rfc/rfc2975.txt- processing delay, enabling application of fraud prevention ../data/rfc/rfc2975.txt: techniques. However, because roaming accounting events are ../data/rfc/rfc2975.txt- frequently of high value, the poor reliability of this model is an ../data/rfc/rfc2975.txt- issue. As a result, the event-driven polling model may be more ../data/rfc/rfc2975.txt- appropriate. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Per-session state is typical of event-driven systems without -- ../data/rfc/rfc2975.txt- transfer. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3.3. Event-driven model with batching ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In the event-driven model with batching, a device will contact the ../data/rfc/rfc2975.txt: accounting server or manager when it is ready to transfer accounting ../data/rfc/rfc2975.txt- data. The device can contact the server when a batch of a given size ../data/rfc/rfc2975.txt- has been gathered, when data of a certain type is available or after ../data/rfc/rfc2975.txt- a minimum time period has elapsed. Such systems can transfer more ../data/rfc/rfc2975.txt: than one accounting event per packet and are thus more efficient. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 28] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: An event-driven system with batching will store accounting events ../data/rfc/rfc2975.txt- that have not yet been delivered up to the limits of memory. As a ../data/rfc/rfc2975.txt: result, accounting data loss will occur due to device reboots, but ../data/rfc/rfc2975.txt- not due to packet loss or network failures of sufficiently short ../data/rfc/rfc2975.txt- duration to be handled within available memory. Note that while ../data/rfc/rfc2975.txt- transfer efficiency will increase with batch size, without non- ../data/rfc/rfc2975.txt- volatile storage, the potential data loss from a device reboot will ../data/rfc/rfc2975.txt- also increase. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Where event-driven systems with batching have a keep-alive interval ../data/rfc/rfc2975.txt: and run over reliable transport, the accounting server can assume ../data/rfc/rfc2975.txt- that a failure has occurred if no messages are received within the ../data/rfc/rfc2975.txt- keep-alive interval. Thus, such implementations can be useful in ../data/rfc/rfc2975.txt- monitoring of device health. When used for this purpose the average ../data/rfc/rfc2975.txt- time delay prior to failure detection is one half the keep-alive ../data/rfc/rfc2975.txt- interval. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Through implementation of a scheduling algorithm, event-driven ../data/rfc/rfc2975.txt: systems with batching can deliver appropriate service to accounting ../data/rfc/rfc2975.txt- events that require low processing delay. For example, high-value ../data/rfc/rfc2975.txt: inter-domain accounting events could be sent immediately, thus ../data/rfc/rfc2975.txt- enabling use of fraud-prevention techniques, while all other events ../data/rfc/rfc2975.txt- would be batched. However, there is a possibility that an event ../data/rfc/rfc2975.txt- requiring low processing delay will be caught behind a batch transfer ../data/rfc/rfc2975.txt- in progress. Thus the maximum processing delay is proportional to ../data/rfc/rfc2975.txt- the maximum batch size divided by the link speed. -- ../data/rfc/rfc2975.txt- devices. As a result this approach scales better than the pure ../data/rfc/rfc2975.txt- event-driven approach, or even the polling approach, and is ../data/rfc/rfc2975.txt- equivalent in terms of scaling to the event-driven polling approach. ../data/rfc/rfc2975.txt- However, the event-driven batching approach has lower processing ../data/rfc/rfc2975.txt- delay than the event-driven polling approach, since delivery of ../data/rfc/rfc2975.txt: accounting data requires fewer round-trips and events requiring low ../data/rfc/rfc2975.txt- processing delay can be accommodated if a scheduling algorithm is ../data/rfc/rfc2975.txt- employed. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3.4. Event-driven polling model ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In the event-driven polling model an accounting manager will poll the ../data/rfc/rfc2975.txt: device for accounting data only when it receives an event. The ../data/rfc/rfc2975.txt: accounting client can generate an event when a batch of a given size ../data/rfc/rfc2975.txt- has been gathered, when data of a certain type is available or after ../data/rfc/rfc2975.txt- a minimum time period has elapsed. Note that while transfer ../data/rfc/rfc2975.txt- efficiency will increase with batch size, without non-volatile ../data/rfc/rfc2975.txt- storage, the potential data loss from a device reboot will also ../data/rfc/rfc2975.txt- increase. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 29] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Without non-volatile storage, an event-driven polling model will lose ../data/rfc/rfc2975.txt- data due to device reboots, but not due to packet loss, or network ../data/rfc/rfc2975.txt- partitions of short-duration. Unless a minimum delivery interval is ../data/rfc/rfc2975.txt- set, event-driven polling systems are not useful in monitoring of ../data/rfc/rfc2975.txt- device health. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The event-driven polling model can be suitable for use in roaming ../data/rfc/rfc2975.txt: since it permits accounting data to be sent to the roaming partners ../data/rfc/rfc2975.txt: with low processing delay. At the same time non-roaming accounting ../data/rfc/rfc2975.txt- can be handled via more efficient polling techniques, thereby ../data/rfc/rfc2975.txt- providing the best of both worlds. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Where batching can be implemented, the state required in event-driven ../data/rfc/rfc2975.txt- polling can be reduced to scale with the number of active devices. ../data/rfc/rfc2975.txt- If portions of the network vary widely in usage, then this state may ../data/rfc/rfc2975.txt- actually be less than that of the polling approach. Note that ../data/rfc/rfc2975.txt- processing delay in this approach is higher than in event-driven ../data/rfc/rfc2975.txt: accounting with batching since at least two round-trips are required ../data/rfc/rfc2975.txt- to deliver data: one for the event notification, and one for the ../data/rfc/rfc2975.txt- resulting poll. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 30] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-2.3.5. Data collection summary ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 31] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:3. Review of Accounting Protocols ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting systems have been successfully implemented using protocols ../data/rfc/rfc2975.txt- such as RADIUS, TACACS+, and SNMP. This section describes the ../data/rfc/rfc2975.txt- characteristics of each of these protocols. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.1. RADIUS ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: RADIUS accounting, described in [4], was developed as an add-on to ../data/rfc/rfc2975.txt- the RADIUS authentication protocol, described in [3]. As a result, ../data/rfc/rfc2975.txt: RADIUS accounting shares the event-driven approach of RADIUS ../data/rfc/rfc2975.txt- authentication, without support for batching or polling. As a ../data/rfc/rfc2975.txt: result, RADIUS accounting scales with the number of accounting events ../data/rfc/rfc2975.txt: instead of the number of devices, and accounting transfers are ../data/rfc/rfc2975.txt- inefficient. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since RADIUS accounting is based on UDP and timeout and retry ../data/rfc/rfc2975.txt- parameters are not specified, implementations vary widely in their ../data/rfc/rfc2975.txt- approach to reliability, with some implementations retrying until ../data/rfc/rfc2975.txt: delivery or buffer exhaustion, and others losing accounting data ../data/rfc/rfc2975.txt: after a few retries. Since RADIUS accounting does not provide for ../data/rfc/rfc2975.txt- application-layer acknowledgments or error messages, a RADIUS ../data/rfc/rfc2975.txt: Accounting-Response is equivalent to a transport-layer acknowledgment ../data/rfc/rfc2975.txt- and provides no protection against application layer malfunctions. ../data/rfc/rfc2975.txt- Due to the lack of reliability, it is not possible to do simultaneous ../data/rfc/rfc2975.txt: usage control based on RADIUS accounting alone. Typically another ../data/rfc/rfc2975.txt- device data source is required, such as polling of a session MIB or a ../data/rfc/rfc2975.txt- command-line session over telnet. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: RADIUS accounting implementations are vulnerable to packet loss as ../data/rfc/rfc2975.txt- well as application layer failures, network failures and device ../data/rfc/rfc2975.txt: reboots. These deficiencies are magnified in inter-domain accounting ../data/rfc/rfc2975.txt- as is required in roaming ([1],[2]). On the other hand, the event- ../data/rfc/rfc2975.txt: driven approach of RADIUS accounting is useful where low processing ../data/rfc/rfc2975.txt- delay is required, such as credit risk management or fraud detection. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: While RADIUS accounting does provide hop-by-hop authentication and ../data/rfc/rfc2975.txt- integrity protection, and IPSEC can be employed to provide hop-by-hop ../data/rfc/rfc2975.txt- confidentiality, data object security is not supported, and thus ../data/rfc/rfc2975.txt: systems based on RADIUS accounting are not capable of being deployed ../data/rfc/rfc2975.txt- with untrusted proxies, or in situations requiring auditability, as ../data/rfc/rfc2975.txt- noted in [2]. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- While RADIUS does not support compression, IP compression, described ../data/rfc/rfc2975.txt- in [5], can be employed to provide this. While in principle -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 32] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.2. TACACS+ ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: TACACS+ offers an accounting model with start, stop, and interim ../data/rfc/rfc2975.txt- update messages. Since TACACS+ is based on TCP, implementations are ../data/rfc/rfc2975.txt- typically resilient against packet loss and short-lived network ../data/rfc/rfc2975.txt- partitions, and TACACS+ scales with the number of devices. Since ../data/rfc/rfc2975.txt- TACACS+ runs over TCP, it offers support for both transport layer and ../data/rfc/rfc2975.txt- application layer acknowledgments, and is suitable for simultaneous ../data/rfc/rfc2975.txt: usage control and handling of accounting events that require moderate ../data/rfc/rfc2975.txt- though not the lowest processing delay. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- TACACS+ provides for hop-by-hop authentication and integrity ../data/rfc/rfc2975.txt- protection as well as hop-by-hop confidentiality. Data object ../data/rfc/rfc2975.txt- security is not supported, and therefore systems based on TACACS+ ../data/rfc/rfc2975.txt: accounting are not deployable in the presence of untrusted proxies. ../data/rfc/rfc2975.txt- While TACACS+ does not support compression, IP compression, described ../data/rfc/rfc2975.txt- in [5], can be employed to provide this. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3. SNMP ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- SNMP, described in [19],[27]-[41], has been widely deployed in a wide ../data/rfc/rfc2975.txt: variety of intra-domain accounting applications, typically using the ../data/rfc/rfc2975.txt- polling data collection model. Polling allows data to be collected ../data/rfc/rfc2975.txt: on multiple accounting events simultaneously, resulting in per-device ../data/rfc/rfc2975.txt- state. Management applications are able to retry requests when a ../data/rfc/rfc2975.txt- response is not received, providing resiliency against packet loss or ../data/rfc/rfc2975.txt- even short-lived network partitions. Implementations without non- ../data/rfc/rfc2975.txt- volatile storage are not robust against device reboots or network ../data/rfc/rfc2975.txt- failures, but when combined with non-volatile storage they can be -- ../data/rfc/rfc2975.txt- trap-directed polling, but the traps are not acknowledged, and lost ../data/rfc/rfc2975.txt- traps can lead to a loss of data. SMIv2, used by SNMPv2c and SNMPv3, ../data/rfc/rfc2975.txt- has Inform Requests which are acknowledged notifications. This makes ../data/rfc/rfc2975.txt- it possible to implement a more reliable event-driven polling model ../data/rfc/rfc2975.txt- or event-driven batching model. However, we are not aware of any ../data/rfc/rfc2975.txt: SNMP-based accounting implementations currently built on the use of ../data/rfc/rfc2975.txt- Informs. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.1. Security services ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- SNMPv1 and SNMPv2c support per-packet authentication and read-only -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 33] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- messages. The updated SNMP architecture [rfc2571] supports per- ../data/rfc/rfc2975.txt- packet hop-by-hop authentication, integrity and replay protection, ../data/rfc/rfc2975.txt- confidentiality and access control. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The SNMP User Security Model (USM) [38] uses shared secrets, and when ../data/rfc/rfc2975.txt- the product of the number of domains and devices is large, such as in ../data/rfc/rfc2975.txt: inter-domain accounting applications, the number of shared secrets ../data/rfc/rfc2975.txt- can get out of hand. The localized key capability in USM allows a ../data/rfc/rfc2975.txt- manager to have one central key, sharing it with many SNMP entities ../data/rfc/rfc2975.txt- in a localized way while preventing the other entities from getting ../data/rfc/rfc2975.txt- at each other's data. This can assist in cross-domain security if ../data/rfc/rfc2975.txt- deployed properly. -- ../data/rfc/rfc2975.txt- There are eighteen SNMP error codes. The design of SNMP makes ../data/rfc/rfc2975.txt- service-specific error codes unnecessary and undesirable. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.3. Proxy forwarders ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In the accounting management architecture, proxy forwarders play an ../data/rfc/rfc2975.txt: important role, forwarding intra and inter-domain accounting events ../data/rfc/rfc2975.txt- to the correct destinations. The proxy forwarder may also play a ../data/rfc/rfc2975.txt- role in a polling or event-driven polling architecture. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 34] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The functionality of an SNMP Proxy Forwarder is defined in [39]. For ../data/rfc/rfc2975.txt- example, the network devices may be configured to send notifications ../data/rfc/rfc2975.txt- for all domains to the Proxy Forwarder, and the devices may be ../data/rfc/rfc2975.txt- configured to allow the Proxy Forwarder to access all MIB data. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The use of proxy forwarders may reduce the number of shared secrets ../data/rfc/rfc2975.txt: required for inter-domain accounting. With Proxy Forwarders, the ../data/rfc/rfc2975.txt- domains could share a secret with the Proxy Forwarder, and in turn, ../data/rfc/rfc2975.txt- the Proxy Forwarder could share a secret with each of the devices. ../data/rfc/rfc2975.txt- Thus the number of shared secrets will scale with the sum of the ../data/rfc/rfc2975.txt- number of devices and domains rather than the product. ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Domain-based access controls are required where multiple ../data/rfc/rfc2975.txt- administrative domains are involved, such as in the shared use ../data/rfc/rfc2975.txt- networks and roaming associations described in [1]. Since the same ../data/rfc/rfc2975.txt- device may be accessed by multiple organizations, it is often ../data/rfc/rfc2975.txt: necessary to control access to accounting data according to the ../data/rfc/rfc2975.txt- user's organization. This ensures that organizations may be given ../data/rfc/rfc2975.txt: access to accounting data relating to their users, but not to data ../data/rfc/rfc2975.txt- relating to users of other organizations. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- In order to apply domain-based access controls, in inter-domain ../data/rfc/rfc2975.txt: accounting, it is first necessary to identify the data subset that is ../data/rfc/rfc2975.txt- to have its access controlled. Several conceptual abstractions are ../data/rfc/rfc2975.txt- used for identifying subsets of data in SNMP. These include engines, ../data/rfc/rfc2975.txt- contexts, and views. This section describes how this functionality ../data/rfc/rfc2975.txt: may be applied in intra and inter-domain accounting. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.4.1. Engines ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The new SNMP architecture, described in [27], added the concept of an ../data/rfc/rfc2975.txt- SNMP engine to improve mobility support and to identify which data -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 35] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- A securityEngineID field in a message identifies the engine which ../data/rfc/rfc2975.txt- provides access to the security credentials contained in the message ../data/rfc/rfc2975.txt- header. A contextEngineID field in a message identifies the engine -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 36] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.4.3. Views ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Views are defined in the View-based Access Control Model. A view is -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- As the number of network devices within the shared use or roaming ../data/rfc/rfc2975.txt- network grows, the polling model of data collection becomes ../data/rfc/rfc2975.txt- increasingly impractical since most devices will not carry data ../data/rfc/rfc2975.txt- relating to the polling organization. As a result, shared-use ../data/rfc/rfc2975.txt: networks or roaming associations relying on SNMP-based accounting ../data/rfc/rfc2975.txt- have generally collected data for all organizations and then sorted ../data/rfc/rfc2975.txt- the resulting session records for delivery to each organization. ../data/rfc/rfc2975.txt- While functional, this approach will typically result in increased ../data/rfc/rfc2975.txt- processing delay as the number of organizations and data records ../data/rfc/rfc2975.txt- grows. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 37] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: accounting data awaiting collection. SNMP Applications [39] defines ../data/rfc/rfc2975.txt- a standard module for managing notifications. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- To use the event-driven approaches, the device must be able to ../data/rfc/rfc2975.txt- determine when information is available for a domain. Domain- ../data/rfc/rfc2975.txt- specific data can be differentiated at the SNMP agent level through -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 38] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- synchronization between tables. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.5.2. Contexts -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Individual domains, such as bigco.com, could be mapped to logical ../data/rfc/rfc2975.txt- contexts, such as a bigco context. The agent would need to create ../data/rfc/rfc2975.txt- and recognize new contexts and to know which instrumentation is ../data/rfc/rfc2975.txt- associated with the logical context. The agent needs to collect ../data/rfc/rfc2975.txt: accounting data by domain and make the data accessible via distinct ../data/rfc/rfc2975.txt- contexts, so that access control can be applied to the context to ../data/rfc/rfc2975.txt- prevent disclosure of sensitive information to the wrong domain. The ../data/rfc/rfc2975.txt- VACM access control views are applied relative to the context, so an ../data/rfc/rfc2975.txt- operation can be permitted or denied a user based on the context ../data/rfc/rfc2975.txt- which contains the data. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Domain separation is handled by using contextName to differentiate ../data/rfc/rfc2975.txt: multiple virtual tables. For example, if accounting data has been ../data/rfc/rfc2975.txt- collected on users with the bigco.com and smallco.com domains, then a ../data/rfc/rfc2975.txt: separate virtual instance of the accounting session record table ../data/rfc/rfc2975.txt- would exist for each domain, and each domain would have a ../data/rfc/rfc2975.txt- corresponding contextName. When a get-bulk request is made with a ../data/rfc/rfc2975.txt- contextName of bigco, then data from the virtual table in the bigco ../data/rfc/rfc2975.txt- context, i.e. corresponding to the bigco.com domain, would be ../data/rfc/rfc2975.txt- returned. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 39] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- condition, and what access control rules apply to the context. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Either technique could associate existing MIB modules to domain- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- There are issues that arise when using SNMP for transfer of bulk ../data/rfc/rfc2975.txt- data, including issues of latency, network overhead, and table ../data/rfc/rfc2975.txt- retrieval, as discussed in [49]. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In accounting applications, management stations often must retrieve ../data/rfc/rfc2975.txt- large tables. Latency can be high, even with the get-bulk operation, ../data/rfc/rfc2975.txt- because the response must fit into the largest supported packet size, ../data/rfc/rfc2975.txt- requiring multiple round-trips. Transfers may be serialized and the ../data/rfc/rfc2975.txt- resulting latency will be a combination of multiple round-trip times, ../data/rfc/rfc2975.txt- possible timeout and re-transmission delays and processing overhead, -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 40] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- that it is possible to stop at the end of a table. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.6.1. Ongoing research -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 41] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Issues of legacy support exist with the NMRG proposals. Devices ../data/rfc/rfc2975.txt- which do not implement the new functionality would need to be ../data/rfc/rfc2975.txt- accommodated. This is especially problematic for proxy forwarders, -- ../data/rfc/rfc2975.txt- of identification. Thus, an IPSEC-based security model for SNMPv3 ../data/rfc/rfc2975.txt- would probably take several years to come to fruition. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-3.3.7. SNMP summary ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Given the wealth of existing accounting-related MIB modules, it is ../data/rfc/rfc2975.txt: likely that SNMP will remain a popular accounting protocol for the ../data/rfc/rfc2975.txt- foreseeable future. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 42] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Support for notifications makes it possible to implement the event- ../data/rfc/rfc2975.txt- driven, event-driven polling and event-driven batching models. This ../data/rfc/rfc2975.txt- makes it possible to notify domains of available data rather than ../data/rfc/rfc2975.txt- requiring them to poll for it, which is critical in shared use ../data/rfc/rfc2975.txt- networks and roaming. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Given the SNMPv3 security enhancements, it is desirable for SNMP- ../data/rfc/rfc2975.txt: based intra-domain accounting implementations to upgrade to SNMPv3. ../data/rfc/rfc2975.txt- Such an upgrade is virtually mandatory for inter-domain applications. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In inter-domain accounting, the burden of managing SNMPv3 shared ../data/rfc/rfc2975.txt- secrets can be reduced via the localized key capability or via ../data/rfc/rfc2975.txt- implementation of a Proxy Forwarder. In the long term, alternative ../data/rfc/rfc2975.txt- security models such as the Kerberos Security Model may further ../data/rfc/rfc2975.txt- reduce the effort required to manage security and enable streamlined ../data/rfc/rfc2975.txt- inter-domain operation. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: SNMP-based accounting has limitations in terms of efficiency and ../data/rfc/rfc2975.txt- latency that may make it inappropriate for use in situations ../data/rfc/rfc2975.txt- requiring low processing delay or low overhead. This includes usage ../data/rfc/rfc2975.txt- sensitive billing applications where fraud detection may be required. ../data/rfc/rfc2975.txt- These issues can be addressed via proposals under discussion in the ../data/rfc/rfc2975.txt- IRTF Network Management Research Group (NMRG). The experimental SNMP -- ../data/rfc/rfc2975.txt- worth considering. However, since these proposals are still in the ../data/rfc/rfc2975.txt- research stage, and are not on the standards track, these ../data/rfc/rfc2975.txt- capabilities are not readily available, and the specifications could ../data/rfc/rfc2975.txt- change considerably before they reach their final form. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: SNMP supports separation of accounting data by domain, using either ../data/rfc/rfc2975.txt- of two general approaches with the VACM access control model. The ../data/rfc/rfc2975.txt- domain as index approach can be used if the desired MIB module ../data/rfc/rfc2975.txt- supports domain indexing, or it can implemented using an additional ../data/rfc/rfc2975.txt- table. The domain-context approach can be used in agents which ../data/rfc/rfc2975.txt- support dynamic logical contexts and a domain-to-context and ../data/rfc/rfc2975.txt- context-to-instrumentation mapping mechanism. Either approach can be ../data/rfc/rfc2975.txt- supported using SNMPv1, SNMPv2c, or SNMPv3 messages, by utilizing the ../data/rfc/rfc2975.txt- snmpCommunitytable [11] to provide a community-to-context mapping. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:4. Review of Accounting Data Transfer ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: In order for session records to be transmitted between accounting ../data/rfc/rfc2975.txt- servers, a transfer protocol is required. Transfer protocols in use ../data/rfc/rfc2975.txt: today include SMTP, FTP, and HTTP. For a review of accounting ../data/rfc/rfc2975.txt- attributes and record formats, see [45]. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 43] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Reference [49] contains a discussion of alternative encodings for SMI ../data/rfc/rfc2975.txt- data types, as well as alternative protocols for transmission of ../data/rfc/rfc2975.txt: accounting data. For example, [49] describes how MIME tags and XML ../data/rfc/rfc2975.txt- DTDs may be used for encoding of SNMP messages or SMI data types. ../data/rfc/rfc2975.txt- This enables data from SNMP MIBs to be transported using any protocol ../data/rfc/rfc2975.txt- that can encapsulate MIME or XML, including SMTP and HTTP. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-4.1. SMTP ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: To date, few accounting management systems have been built on SMTP ../data/rfc/rfc2975.txt- since the implementation of a store-and-forward message system has ../data/rfc/rfc2975.txt- traditionally required access to non-volatile storage which has not ../data/rfc/rfc2975.txt- been widely available on network devices. However, SMTP-based ../data/rfc/rfc2975.txt- implementations have many desirable characteristics, particularly ../data/rfc/rfc2975.txt- with regards to security. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Accounting management systems using SMTP for accounting transfer will ../data/rfc/rfc2975.txt- typically support batching so that message processing overhead will ../data/rfc/rfc2975.txt: be spread over multiple accounting records. As a result, these ../data/rfc/rfc2975.txt: systems result in per-active device state. Since accounting systems ../data/rfc/rfc2975.txt- using SMTP as a transfer mechanism have access to substantial non- ../data/rfc/rfc2975.txt- volatile storage, they can generate, compress if necessary, and store ../data/rfc/rfc2975.txt: accounting records until they are transferred to the collection site. ../data/rfc/rfc2975.txt: As a result, accounting systems implemented using SMTP can be highly ../data/rfc/rfc2975.txt- efficient and scalable. Using IPSEC, TLS or Kerberos, hop-by-hop ../data/rfc/rfc2975.txt- security services such as authentication, integrity protection and ../data/rfc/rfc2975.txt- confidentiality can be provided. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- As described in [13] and [15], data object security is available for ../data/rfc/rfc2975.txt- SMTP, and in addition, the facilities described in [12] make it ../data/rfc/rfc2975.txt- possible to request and receive signed receipts, which enables non- ../data/rfc/rfc2975.txt: repudiation as described in [12]-[17]. As a result, accounting ../data/rfc/rfc2975.txt: systems utilizing SMTP for accounting data transfer are capable of ../data/rfc/rfc2975.txt- satisfying the most demanding security requirements. However, such ../data/rfc/rfc2975.txt- systems are not typically capable of providing low processing delay, ../data/rfc/rfc2975.txt- although this may be addressed by the enhancements described in [20]. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-4.2. Other protocols ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- File transfer protocols such as FTP and HTTP have been used for ../data/rfc/rfc2975.txt: transfer of accounting data. For example, Reference [9] describes a ../data/rfc/rfc2975.txt: means for representing ASN.1-based accounting data for storage on ../data/rfc/rfc2975.txt: archival media. Through the use of the Bulk File MIB, accounting ../data/rfc/rfc2975.txt- data from an SNMP MIB can be stored in ASN.1, bulk binary or Bulk ../data/rfc/rfc2975.txt- ASCII format, and then subsequently retrieved as required using the ../data/rfc/rfc2975.txt- FTP Client MIB. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 44] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Given access to sufficient non-volatile storage, accounting systems ../data/rfc/rfc2975.txt- based on record formats and transfer protocols can avoid loss of data ../data/rfc/rfc2975.txt- due to long-duration network partitions, server failures or device ../data/rfc/rfc2975.txt- reboots. Since it is possible for the transfer to be driven from the ../data/rfc/rfc2975.txt- collection site, the collector can retry transfers until successful, ../data/rfc/rfc2975.txt- or with HTTP may even be able to restart partially completed ../data/rfc/rfc2975.txt- transfers. As a result, file transfer-based systems can be made ../data/rfc/rfc2975.txt: highly reliable, and the batching of accounting records makes ../data/rfc/rfc2975.txt- possible efficient transfers and application of required security ../data/rfc/rfc2975.txt- services with lessened overhead. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-5. Summary ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: As noted previously in this document, accounting applications vary in ../data/rfc/rfc2975.txt- their security and reliability requirements. Some uses such as ../data/rfc/rfc2975.txt- capacity planning may only require authentication, integrity and ../data/rfc/rfc2975.txt- replay protection, and modest reliability. Other applications such ../data/rfc/rfc2975.txt- as inter-domain usage-sensitive billing may require the highest ../data/rfc/rfc2975.txt- degree of security and reliability, since in these cases the transfer ../data/rfc/rfc2975.txt: of accounting data will lead directly to the transfer of funds. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: Since accounting applications do not have uniform security and ../data/rfc/rfc2975.txt- reliability requirements, it is not possible to devise a single ../data/rfc/rfc2975.txt: accounting protocol and set of security services that will meet all ../data/rfc/rfc2975.txt: needs. Rather, the goal of accounting management should be to ../data/rfc/rfc2975.txt: provide a set of tools that can be used to construct accounting ../data/rfc/rfc2975.txt- systems meeting the requirements of an individual application. As a ../data/rfc/rfc2975.txt: result, it is important to analyze a given accounting application to ../data/rfc/rfc2975.txt- ensure that the methods chosen meet the security and reliability ../data/rfc/rfc2975.txt- requirements of the application. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Based on an analysis of the requirements, it appears that existing ../data/rfc/rfc2975.txt- deployed protocols are capable of meeting the requirements for -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 45] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- For usage sensitive billing, as well as cost allocation and auditing ../data/rfc/rfc2975.txt- applications, the reliability requirement are greater. Here ../data/rfc/rfc2975.txt- transport layer reliability is required to provide robustness against ../data/rfc/rfc2975.txt- packet loss, as well as application layer acknowledgments to provide ../data/rfc/rfc2975.txt: robustness against accounting server failures. SNMP operations with ../data/rfc/rfc2975.txt- the exception of InforRequest provide application layer ../data/rfc/rfc2975.txt- acknowledgments, and the TCP transport mapping proposed by NMRG ../data/rfc/rfc2975.txt- provides robustness against packet loss. Inter-domain operation can ../data/rfc/rfc2975.txt- benefit from data object security (which no existing protocol ../data/rfc/rfc2975.txt- provides) as well as inter-domain security model enhancements (such -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 46] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2975.txt- | | | | ../data/rfc/rfc2975.txt- | Usage | Intra-domain | Inter-domain | -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 47] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-6. Security Considerations ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Security issues are discussed throughout this memo. -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [3] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote ../data/rfc/rfc2975.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, April, ../data/rfc/rfc2975.txt- 1997. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: [4] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [5] Shacham, A., Monsour, R., Pereira, R. and M. Thomas, "IP Payload ../data/rfc/rfc2975.txt- Compression Protocol (IPComp)", RFC 2393, December 1998. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [8] Aboba, B. and M. Beadles, "The Network Access Identifier", ../data/rfc/rfc2975.txt- RFC 2486, January 1999. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [9] McCloghrie, K., Heinanen, J., Greene, W. and A. Prasad, ../data/rfc/rfc2975.txt: "Accounting Information for ATM Networks", RFC 2512, February ../data/rfc/rfc2975.txt- 1999. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [10] McCloghrie, K., Heinanen, J., Greene, W., and A. Prasad, ../data/rfc/rfc2975.txt- "Managed Objects for Controlling the Collection and Storage of ../data/rfc/rfc2975.txt: Accounting Information for Connection-Oriented Networks", RFC ../data/rfc/rfc2975.txt- 2513, February 1999. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [11] Frye, R., Levi, D., Routhier, S. and B. Wijnen, "Coexistence ../data/rfc/rfc2975.txt- between Version 1, Version 2, and Version 3 of the Internet- ../data/rfc/rfc2975.txt- standard Management Framework", RFC 2576, March 2000. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 48] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [12] Fajman, R., "An Extensible Message Format for Message ../data/rfc/rfc2975.txt- Disposition Notifications", RFC 2298, March 1998. ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [20] Klyne, G., "Timely Delivery for Facsimile Using Internet Mail", ../data/rfc/rfc2975.txt- Work in Progress. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [21] Johnson, H. T., Kaplan, R. S., Relevance Lost: The Rise and Fall ../data/rfc/rfc2975.txt: of Management Accounting, Harvard Business School Press, Boston, ../data/rfc/rfc2975.txt- Massachusetts, 1987. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: [22] Horngren, C. T., Foster, G., Cost Accounting: A Managerial ../data/rfc/rfc2975.txt- Emphasis. Prentice Hall, Englewood Cliffs, New Jersey, 1991. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [23] Kaplan, R. S., Atkinson, Anthony A., Advanced Management ../data/rfc/rfc2975.txt: Accounting, Prentice Hall, Englewood Cliffs, New Jersey, 1989. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [24] Cooper, R., Kaplan, R. S., The Design of Cost Management ../data/rfc/rfc2975.txt- Systems. Prentice Hall, Englewood Cliffs, New Jersey, 1991. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [25] Rigney, C., Willats, S. and P. Calhoun, "RADIUS Extensions", RFC -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 49] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [26] Stewart, R., et al., "Simple Control Transmission Protocol", RFC ../data/rfc/rfc2975.txt- 2960, October 2000. ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 50] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [40] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access ../data/rfc/rfc2975.txt- Control Model (VACM) for the Simple Network Management Protocol ../data/rfc/rfc2975.txt- (SNMP)", RFC 2575, April 1999. -- ../data/rfc/rfc2975.txt- Realm Authentication in Kerberos", Work in Progress. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [44] Hornstein, K. and W. Hardaker, "A Kerberos Security Model for ../data/rfc/rfc2975.txt- SNMPv3", Work in Progress. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt: [45] Brownlee, N. and A. Blount, "Accounting Attributes and Record ../data/rfc/rfc2975.txt- Formats", RFC 2924, September 2000. ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- [46] Network Management Research Group Web page, ../data/rfc/rfc2975.txt- http://www.ibr.cs.tu-bs.de/projects/nmrg/ ../data/rfc/rfc2975.txt- -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 51] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-9. Authors' Addresses ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Bernard Aboba -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 52] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-10. Intellectual Property Statement ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- The IETF takes no position regarding the validity or scope of any -- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-Aboba, et al. Informational [Page 53] ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt:RFC 2975 Introduction to Accounting Management October 2000 ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt-11. Full Copyright Statement ../data/rfc/rfc2975.txt- ../data/rfc/rfc2975.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. -- ../data/rfc/rfc5897.txt- 4. Using Service Identification ....................................8 ../data/rfc/rfc5897.txt- 4.1. Application Invocation in the User Agent ...................8 ../data/rfc/rfc5897.txt- 4.2. Application Invocation in the Network ......................9 ../data/rfc/rfc5897.txt- 4.3. Network Quality-of-Service Authorization ..................10 ../data/rfc/rfc5897.txt- 4.4. Service Authorization .....................................10 ../data/rfc/rfc5897.txt: 4.5. Accounting and Billing ....................................11 ../data/rfc/rfc5897.txt- 4.6. Negotiation of Service ....................................11 ../data/rfc/rfc5897.txt- 4.7. Dispatch to Devices .......................................11 ../data/rfc/rfc5897.txt- 5. Key Principles of Service Identification .......................12 ../data/rfc/rfc5897.txt- 5.1. Services Are a By-Product of Signaling ....................12 ../data/rfc/rfc5897.txt- 5.2. Identical Signaling Produces Identical Services ...........13 -- ../data/rfc/rfc5897.txt-4. Using Service Identification ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- It is important to understand what the service identity would be ../data/rfc/rfc5897.txt- utilized for, if known. This section discusses the primary uses. ../data/rfc/rfc5897.txt- These are application invocation in user agents and the network, ../data/rfc/rfc5897.txt: Quality of Service authorization, service authorization, accounting ../data/rfc/rfc5897.txt- and billing, service negotiation, and device dispatch. ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt-4.1. Application Invocation in the User Agent ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- In some of the examples above, there were multiple software -- ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- Consequently, when an INVITE arrives at a server in the network, the ../data/rfc/rfc5897.txt- server will need to determine what the requested service is, so that ../data/rfc/rfc5897.txt- the server can make an authorization decision. ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt:4.5. Accounting and Billing ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt: Service authorization and accounting/billing go hand in hand. One of ../data/rfc/rfc5897.txt- the primary reasons for authorizing that a user can utilize a service ../data/rfc/rfc5897.txt- is that they are being billed differently based on the type of ../data/rfc/rfc5897.txt- service. Consequently, one of the goals of a service identity is to ../data/rfc/rfc5897.txt: be able to include it in accounting records, so that the appropriate ../data/rfc/rfc5897.txt- billing model can be applied. ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- For example, in the case of IPTV, a service provider can bill based ../data/rfc/rfc5897.txt- on the content (US $5 per movie, perhaps), whereas for multimedia ../data/rfc/rfc5897.txt- conferencing, they can bill by the minute. This requires the ../data/rfc/rfc5897.txt: accounting streams to indicate which service was invoked for the ../data/rfc/rfc5897.txt- particular session. ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt-4.6. Negotiation of Service ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- In some cases, when the caller initiates a session, they don't -- ../data/rfc/rfc5897.txt- 3. Declarative service identification can stifle service innovation ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt-6.1. Fraud ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- Declarative service identification can lead to fraud. If a provider ../data/rfc/rfc5897.txt: uses the service identifier for billing and accounting purposes, or ../data/rfc/rfc5897.txt- for authorization purposes, it opens an avenue for attack. The user ../data/rfc/rfc5897.txt- can construct the signaling message so that its actual effect (which ../data/rfc/rfc5897.txt- is the service the user will receive), is what the user desires, but ../data/rfc/rfc5897.txt- the user places a service identifier into the request (which is what ../data/rfc/rfc5897.txt- is used for billing and authorization) that identifies a cheaper -- ../data/rfc/rfc5897.txt- Domain 2 provides their users with a service they call "text ../data/rfc/rfc5897.txt- telephony", which is a voice service on a wireless device that also ../data/rfc/rfc5897.txt- allows the user to send text messages. Consider the case where ../data/rfc/rfc5897.txt- domain 1 and domain 2 both have their user agents insert a service ../data/rfc/rfc5897.txt- identifier into the request, and then use that to perform QoS ../data/rfc/rfc5897.txt: authorization, accounting, and invocation of applications in the ../data/rfc/rfc5897.txt- network and in the device. The user in domain 1 calls the user in ../data/rfc/rfc5897.txt- domain 2, and inserts the identifier "Voice Chat" into the INVITE. ../data/rfc/rfc5897.txt- When this arrives at the server in domain 2, the service identifier ../data/rfc/rfc5897.txt- is unknown. Consequently, the request does not get the proper QoS ../data/rfc/rfc5897.txt- treatment, even if the call itself will succeed. -- ../data/rfc/rfc5897.txt- Consider the following example. Several providers get together and ../data/rfc/rfc5897.txt- standardize on a bunch of service identifiers. One of these uses ../data/rfc/rfc5897.txt- audio and video (say, "multimedia conversation"). This service is ../data/rfc/rfc5897.txt- successful and is widely utilized. Endpoints look for this ../data/rfc/rfc5897.txt- identifier to dispatch calls to the right software applications, and ../data/rfc/rfc5897.txt: the network looks for it to invoke features, perform accounting, and ../data/rfc/rfc5897.txt- provide QoS. A new provider gets the idea for a new service (say, ../data/rfc/rfc5897.txt- "avatar-enhanced multimedia conversation"). In this service, there ../data/rfc/rfc5897.txt- is audio and video, but there is a third stream, which renders an ../data/rfc/rfc5897.txt- avatar. A caller can press buttons on their phone, to cause the ../data/rfc/rfc5897.txt- avatar on the other person's device to show emotion, make noise, and -- ../data/rfc/rfc5897.txt- of individual features that can be signaled in SIP. ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt-8. Security Considerations ../data/rfc/rfc5897.txt- ../data/rfc/rfc5897.txt- Oftentimes, the service associated with a request is utilized for ../data/rfc/rfc5897.txt: purposes such as authorization, accounting, and billing. When ../data/rfc/rfc5897.txt- service identification is not done properly, the possibility of ../data/rfc/rfc5897.txt- unauthorized service use and network fraud is introduced. It is for ../data/rfc/rfc5897.txt- this reason, discussed extensively in Section 6.1, that the usage of ../data/rfc/rfc5897.txt- declarative service identifiers inserted by a UA is not recommended. ../data/rfc/rfc5897.txt- -- ../data/rfc/rfc2970.txt- Because of its particular application to query-response situations, ../data/rfc/rfc2970.txt- the term "Directory Access Gateway", or "DAG" still fits as a label ../data/rfc/rfc2970.txt- for this type of system architecture. ../data/rfc/rfc2970.txt- ../data/rfc/rfc2970.txt- Internet applications are evolving, and require more sophisticated ../data/rfc/rfc2970.txt: features (e.g., security mechanisms, accounting mechanisms, ../data/rfc/rfc2970.txt- integration of historical session data). Continuing to develop a ../data/rfc/rfc2970.txt- dedicated protocol per application type results in encumbered and ../data/rfc/rfc2970.txt- unwieldy protocols, as each must implement coverage of all of these ../data/rfc/rfc2970.txt- common aspects. But creating a single multi-application protocol ../data/rfc/rfc2970.txt- seems unlikely at best. The implicit proposal here is that, rather -- ../data/rfc/rfc2970.txt-RFC 2970 Architecture for IDS - Result from TISDAG October 2000 ../data/rfc/rfc2970.txt- ../data/rfc/rfc2970.txt- ../data/rfc/rfc2970.txt- 3. identification of necessary services -- e.g., proxying to ../data/rfc/rfc2970.txt- remote information search services, lookup services, "AAA[A]" ../data/rfc/rfc2970.txt: (Authentication, Authorization, Accounting, [and Access]) ../data/rfc/rfc2970.txt- servers, etc ../data/rfc/rfc2970.txt- 4. definition of the transaction process for the service: insofar ../data/rfc/rfc2970.txt- as the CAPs represent the service to client software, CAP ../data/rfc/rfc2970.txt- modules manage the necessary transactions with other service ../data/rfc/rfc2970.txt- modules -- ../data/rfc/rfc2970.txt- include that it be: ../data/rfc/rfc2970.txt- ../data/rfc/rfc2970.txt- - lightweight; CAPs, SAPs should be able to be quite small ../data/rfc/rfc2970.txt- - flexible enough to carry queries of different paradigms, results ../data/rfc/rfc2970.txt- of different types ../data/rfc/rfc2970.txt: - able to support authentication, authorization, accounting and ../data/rfc/rfc2970.txt- audit mechanisms -- not necessarily native to the protocol ../data/rfc/rfc2970.txt- - able to support encryption and end-to-end security within the ../data/rfc/rfc2970.txt- DAG system ../data/rfc/rfc2970.txt- - sophisticated enough to allow negotiation of capabilities -- ../data/rfc/rfc2970.txt- querying & identifying application type supported (e.g., -- ../data/rfc/rfc2865.txt- appendix. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- Managing dispersed serial line and modem pools for large numbers of ../data/rfc/rfc2865.txt- users can create the need for significant administrative support. ../data/rfc/rfc2865.txt- Since modem pools are by definition a link to the outside world, they ../data/rfc/rfc2865.txt: require careful attention to security, authorization and accounting. ../data/rfc/rfc2865.txt- This can be best achieved by managing a single "database" of users, ../data/rfc/rfc2865.txt- which allows for authentication (verifying user name and password) as ../data/rfc/rfc2865.txt- well as configuration information detailing the type of service to ../data/rfc/rfc2865.txt- deliver to the user (for example, SLIP, PPP, telnet, rlogin). ../data/rfc/rfc2865.txt- -- ../data/rfc/rfc2865.txt- client. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt-2.3. Proxy ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- With proxy RADIUS, one RADIUS server receives an authentication (or ../data/rfc/rfc2865.txt: accounting) request from a RADIUS client (such as a NAS), forwards ../data/rfc/rfc2865.txt- the request to a remote RADIUS server, receives the reply from the ../data/rfc/rfc2865.txt- remote server, and sends that reply to the client, possibly with ../data/rfc/rfc2865.txt- changes to reflect local administrative policy. A common use for ../data/rfc/rfc2865.txt- proxy RADIUS is roaming. Roaming permits two or more administrative ../data/rfc/rfc2865.txt- entities to allow each other's users to dial in to either entity's -- ../data/rfc/rfc2865.txt- RADIUS Codes (decimal) are assigned as follows: ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- 1 Access-Request ../data/rfc/rfc2865.txt- 2 Access-Accept ../data/rfc/rfc2865.txt- 3 Access-Reject ../data/rfc/rfc2865.txt: 4 Accounting-Request ../data/rfc/rfc2865.txt: 5 Accounting-Response ../data/rfc/rfc2865.txt- 11 Access-Challenge ../data/rfc/rfc2865.txt- 12 Status-Server (experimental) ../data/rfc/rfc2865.txt- 13 Status-Client (experimental) ../data/rfc/rfc2865.txt- 255 Reserved ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt: Codes 4 and 5 are covered in the RADIUS Accounting document [5]. ../data/rfc/rfc2865.txt- Codes 12 and 13 are reserved for possible use, but are not further ../data/rfc/rfc2865.txt- mentioned here. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- Identifier ../data/rfc/rfc2865.txt- -- ../data/rfc/rfc2865.txt- Where an Attribute's description limits which kinds of packet it can ../data/rfc/rfc2865.txt- be contained in, this applies only to the packet types defined in ../data/rfc/rfc2865.txt- this document, namely Access-Request, Access-Accept, Access-Reject ../data/rfc/rfc2865.txt- and Access-Challenge (Codes 1, 2, 3, and 11). Other documents ../data/rfc/rfc2865.txt- defining other packet types may also use Attributes described here. ../data/rfc/rfc2865.txt: To determine which Attributes are allowed in Accounting-Request and ../data/rfc/rfc2865.txt: Accounting-Response packets (Codes 4 and 5) refer to the RADIUS ../data/rfc/rfc2865.txt: Accounting document [5]. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- Likewise where packet types defined here state that only certain ../data/rfc/rfc2865.txt- Attributes are permissible in them, future memos defining new ../data/rfc/rfc2865.txt- Attributes should indicate which packet types the new Attributes may ../data/rfc/rfc2865.txt- be present in. -- ../data/rfc/rfc2865.txt- 35 Login-LAT-Node ../data/rfc/rfc2865.txt- 36 Login-LAT-Group ../data/rfc/rfc2865.txt- 37 Framed-AppleTalk-Link ../data/rfc/rfc2865.txt- 38 Framed-AppleTalk-Network ../data/rfc/rfc2865.txt- 39 Framed-AppleTalk-Zone ../data/rfc/rfc2865.txt: 40-59 (reserved for accounting) ../data/rfc/rfc2865.txt- 60 CHAP-Challenge ../data/rfc/rfc2865.txt- 61 NAS-Port-Type ../data/rfc/rfc2865.txt- 62 Port-Limit ../data/rfc/rfc2865.txt- 63 Login-LAT-Port ../data/rfc/rfc2865.txt- -- ../data/rfc/rfc2865.txt- This Attribute indicates the name of the user to be authenticated. ../data/rfc/rfc2865.txt- It MUST be sent in Access-Request packets if available. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- It MAY be sent in an Access-Accept packet, in which case the ../data/rfc/rfc2865.txt- client SHOULD use the name returned in the Access-Accept packet in ../data/rfc/rfc2865.txt: all Accounting-Request packets for this session. If the Access- ../data/rfc/rfc2865.txt- Accept includes Service-Type = Rlogin and the User-Name attribute, ../data/rfc/rfc2865.txt- a NAS MAY use the returned User-Name when performing the Rlogin ../data/rfc/rfc2865.txt- function. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- A summary of the User-Name Attribute format is shown below. The -- ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- Description ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- This Attribute is available to be sent by the server to the client ../data/rfc/rfc2865.txt- in an Access-Accept and SHOULD be sent unmodified by the client to ../data/rfc/rfc2865.txt: the accounting server as part of the Accounting-Request packet if ../data/rfc/rfc2865.txt: accounting is supported. The client MUST NOT interpret the ../data/rfc/rfc2865.txt- attribute locally. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- A summary of the Class Attribute format is shown below. The fields ../data/rfc/rfc2865.txt- are transmitted from left to right. ../data/rfc/rfc2865.txt- -- ../data/rfc/rfc2865.txt- Packet Type Codes, Attribute Types, and Attribute Values (for certain ../data/rfc/rfc2865.txt- Attributes). ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- RADIUS is not intended as a general-purpose Network Access Server ../data/rfc/rfc2865.txt- (NAS) management protocol, and allocations should not be made for ../data/rfc/rfc2865.txt: purposes unrelated to Authentication, Authorization or Accounting. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt-6.1. Definition of Terms ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- The following terms are used here with the meanings defined in ../data/rfc/rfc2865.txt- BCP 26: "name space", "assigned value", "registration". -- ../data/rfc/rfc2865.txt- Updated list of attributes that can be included in Access-Challenge ../data/rfc/rfc2865.txt- to be consistent with the table of attributes. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- User-Name mentions Network Access Identifiers. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt: User-Name may now be sent in Access-Accept for use with accounting ../data/rfc/rfc2865.txt- and Rlogin. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- Values added for Service-Type, Login-Service, Framed-Protocol, ../data/rfc/rfc2865.txt- Framed-Compression, and NAS-Port-Type. ../data/rfc/rfc2865.txt- -- ../data/rfc/rfc2865.txt- RFC 1321, April 1992. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- [4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August ../data/rfc/rfc2865.txt- 1980. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt: [5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- [6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC ../data/rfc/rfc2865.txt- 1700, October 1994. ../data/rfc/rfc2865.txt- ../data/rfc/rfc2865.txt- [7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC -- ../data/rfc/rfc5685.txt- ../data/rfc/rfc5685.txt- In case the IKE_AUTH exchange involves Extensible Authentication ../data/rfc/rfc5685.txt- Protocol (EAP) authentication (as described in Section 2.16 of RFC ../data/rfc/rfc5685.txt- 4306 [2]) or multiple authentication methods (as described in RFC ../data/rfc/rfc5685.txt- 4739 [6]), the gateway may decide to redirect the client based on the ../data/rfc/rfc5685.txt: interaction with the Authentication, Authorization, and Accounting ../data/rfc/rfc5685.txt- (AAA) server or the external authentication server. In this case, ../data/rfc/rfc5685.txt- the gateway MUST send the REDIRECT Notify payload in either the first ../data/rfc/rfc5685.txt- or the last IKE_AUTH response. The client and the gateway MUST ../data/rfc/rfc5685.txt- verify the AUTH payloads as described above. ../data/rfc/rfc5685.txt- -- ../data/rfc/rfc617.txt-functions), it merely maps FTP commands into local commands which ../data/rfc/rfc617.txt-it "types" on a pseudo-Teletype (PTY) to a subjob, and similarly ../data/rfc/rfc617.txt-maps local responses into FTP responses. ../data/rfc/rfc617.txt- ../data/rfc/rfc617.txt-This scheme makes maximum use of existing software and ../data/rfc/rfc617.txt:mechanisms for user authentication, accounting, and file ../data/rfc/rfc617.txt-access, and eliminates the need for the (privileged) FTP server ../data/rfc/rfc617.txt-to perform them interpretively. (This conforms to the ../data/rfc/rfc617.txt-"principle of least privilege" described in RFC 501, NIC ../data/rfc/rfc617.txt-#15818.) ../data/rfc/rfc617.txt- -- ../data/rfc/rfc2888.txt- the purposes of this document. ../data/rfc/rfc2888.txt- ../data/rfc/rfc2888.txt-3. Remote Access operation ../data/rfc/rfc2888.txt- ../data/rfc/rfc2888.txt- Remote access is more than mere authentication of remote clients by a ../data/rfc/rfc2888.txt: Network Access Server(NAS). Authentication, Authorization, Accounting ../data/rfc/rfc2888.txt- and routing are integral to remote access. A client must first pass ../data/rfc/rfc2888.txt- the authentication test before being granted link access to the ../data/rfc/rfc2888.txt- network. Network level services (such as IP) are granted based on the ../data/rfc/rfc2888.txt- authorization characteristics specified for the user in RADIUS. ../data/rfc/rfc2888.txt- Network Access Servers use RADIUS to scale for large numbers of users -- ../data/rfc/rfc1147.txt- configuration data as well as the modification of MIB ../data/rfc/rfc1147.txt- configuration data. The performance monitoring tool ../data/rfc/rfc1147.txt- supports the collection and analysis of statistical ../data/rfc/rfc1147.txt- parameters from network devices. The status monitoring ../data/rfc/rfc1147.txt- tool reports on the up/down status and responsiveness ../data/rfc/rfc1147.txt: of network devices using ICMP. The accounting tool is ../data/rfc/rfc1147.txt- used to collect, store, and display user job activity ../data/rfc/rfc1147.txt- at the subscriber hosts. The NCC database entry sup- ../data/rfc/rfc1147.txt- ports RFC 1066 object definitions and Unisys-specific ../data/rfc/rfc1147.txt- object definitions to support the Unisys FDDI devices. ../data/rfc/rfc1147.txt- And finally, the trap reporting tool reports the -- ../data/rfc/rfc3103.txt- ../data/rfc/rfc3103.txt- This indicates that there is a conflict between flow-based policy and ../data/rfc/rfc3103.txt- support for gateways. The main purpose of enforcing flow-based ../data/rfc/rfc3103.txt- policy for LISTEN_REQUESTs is that it allows an RSIP gateway tight ../data/rfc/rfc3103.txt- control over how an RSIP host uses ports and the associated ../data/rfc/rfc3103.txt: accounting. For example, an RSIP host, operating under remote ../data/rfc/rfc3103.txt- micro-flow based policy and using a protocol such as FTP, will have ../data/rfc/rfc3103.txt- to specify the address and port that it will receive FTP data on, as ../data/rfc/rfc3103.txt- well as the address and port that the gateway will transmit data ../data/rfc/rfc3103.txt- from, in a LISTEN_REQUEST. ../data/rfc/rfc3103.txt- -- ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- o Realtime Packet scheduling (realtime) ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- o Mobility ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt: o Accounting ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- (and maybe large-scale?) ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- These categories were then applied to the following scenarios: ../data/rfc/rfc1636.txt- -- ../data/rfc/rfc1636.txt- S2. The group in S1 is 1/3 the Internet, i.e., there are VERY severe ../data/rfc/rfc1636.txt- scaling problems. [Security-S, mcast-S, realtime, mobility, ../data/rfc/rfc1636.txt- large-scale] ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- S3. Charge for communication to support a video teleconference. ../data/rfc/rfc1636.txt: [Accounting, realtime, mcast-S] ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- S4. I am travelling with my laptop. I tune in to radio channel IP- ../data/rfc/rfc1636.txt- RADIO, pick-up the beacon and start using it. Who gets the ../data/rfc/rfc1636.txt- bill? Why do they believe this is me? Is "me" a piece of ../data/rfc/rfc1636.txt- hardware (IP address) or a certified user (PEM certificate)? ../data/rfc/rfc1636.txt: [Mobility, accounting (, realtime, mcast-S)] ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- S5. A Politically Important Person will mcast an Internet ../data/rfc/rfc1636.txt- presentation, without danger of interruptions from the audience. ../data/rfc/rfc1636.txt- ../data/rfc/rfc1636.txt- S6. The travel industry wants to use Internet to deliver tickets to -- ../data/rfc/rfc2002.txt- ../data/rfc/rfc2002.txt- When the mobile node receives an Agent Advertisement with the 'R' bit ../data/rfc/rfc2002.txt- set, the mobile node SHOULD register through the foreign agent, even ../data/rfc/rfc2002.txt- when the mobile node might be able to acquire its own co-located ../data/rfc/rfc2002.txt- care-of address. This feature is intended to allow sites to enforce ../data/rfc/rfc2002.txt: visiting policies (such as accounting) which require exchanges of ../data/rfc/rfc2002.txt- authorization. ../data/rfc/rfc2002.txt- ../data/rfc/rfc2002.txt-2.4.2. Move Detection ../data/rfc/rfc2002.txt- ../data/rfc/rfc2002.txt- Two primary mechanisms are provided for mobile nodes to detect when -- ../data/rfc/rfc1718.txt- ../data/rfc/rfc1718.txt- For those who could not attend a meeting but would like a copy of the ../data/rfc/rfc1718.txt- proceedings, send a check for US$35 (made payable to CNRI) to: ../data/rfc/rfc1718.txt- ../data/rfc/rfc1718.txt- Corporation for National Research Initiatives ../data/rfc/rfc1718.txt: Attn: Accounting Department - IETF Proceedings ../data/rfc/rfc1718.txt- 1895 Preston White Drive, Suite 100 ../data/rfc/rfc1718.txt- Reston, VA 22091 ../data/rfc/rfc1718.txt- USA ../data/rfc/rfc1718.txt- ../data/rfc/rfc1718.txt- Please indicate which meeting proceedings you would like to receive -- ../data/rfc/rfc3170.txt- entry D4 in Table 1. The initial unicast request is the only ../data/rfc/rfc3170.txt- difference between this type of application and a typical 1toM. ../data/rfc/rfc3170.txt- If that initial request were sent to a multicast address, this ../data/rfc/rfc3170.txt- would effectively be an MtoM application. ../data/rfc/rfc3170.txt- ../data/rfc/rfc3170.txt: t) Accounting: This is basically data collection but is worth ../data/rfc/rfc3170.txt- separating since it is such an important application. In some ../data/rfc/rfc3170.txt- multicast applications it is imperative to know information ../data/rfc/rfc3170.txt- about each receiver, possibly in real-time. But such ../data/rfc/rfc3170.txt- information can be overwhelming [MRM]. Current mechanisms, ../data/rfc/rfc3170.txt- like RTCP (which is actually MtoM since it is multicast but -- ../data/rfc/rfc4739.txt- ../data/rfc/rfc4739.txt- To take another example, when an operator is hosting a Virtual ../data/rfc/rfc4739.txt- Private Network (VPN) gateway service for a third party, it may be ../data/rfc/rfc4739.txt- necessary to authenticate the client to both the operator (for ../data/rfc/rfc4739.txt- billing purposes) and the third party's Authentication, ../data/rfc/rfc4739.txt: Authorization, and Accounting (AAA) server (for authorizing access to ../data/rfc/rfc4739.txt- the third party's internal network). ../data/rfc/rfc4739.txt- ../data/rfc/rfc4739.txt- This document specifies an extension to IKEv2 that allows the use of ../data/rfc/rfc4739.txt- multiple authentication exchanges, using either different mechanisms ../data/rfc/rfc4739.txt- or the same mechanism. This extension allows, for instance, -- ../data/rfc/rfc8426.txt- suited for SR and need to coexist with RSVP-TE in the same network. ../data/rfc/rfc8426.txt- Such introduction or migration of traffic to SR might require ../data/rfc/rfc8426.txt- coexistence with RSVP-TE in the same network for an extended period ../data/rfc/rfc8426.txt- of time, depending on the operator's intent. The following document ../data/rfc/rfc8426.txt- provides solution options for keeping the traffic engineering ../data/rfc/rfc8426.txt: database consistent across the network, accounting for the different ../data/rfc/rfc8426.txt- bandwidth utilization between SR and RSVP-TE. ../data/rfc/rfc8426.txt- ../data/rfc/rfc8426.txt-Status of This Memo ../data/rfc/rfc8426.txt- ../data/rfc/rfc8426.txt- This document is not an Internet Standards Track specification; it is -- ../data/rfc/rfc8426.txt- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc8426.txt- ../data/rfc/rfc8426.txt-1. Introduction ../data/rfc/rfc8426.txt- ../data/rfc/rfc8426.txt- Introduction of SR [RFC8402] in the same network domain as RSVP-TE ../data/rfc/rfc8426.txt: [RFC3209] presents the problem of accounting for SR traffic and ../data/rfc/rfc8426.txt- making RSVP-TE aware of the actual available bandwidth on the network ../data/rfc/rfc8426.txt- links. RSVP-TE is not aware of how much bandwidth is being consumed ../data/rfc/rfc8426.txt- by SR services on the network links; hence, both at computation time ../data/rfc/rfc8426.txt- (for a distributed computation) and at signaling time, RSVP-TE LSPs ../data/rfc/rfc8426.txt- will incorrectly place loads. This is true where RSVP-TE paths are -- ../data/rfc/rfc8426.txt- aware of the SR traffic reservations. In this approach, non-SR ../data/rfc/rfc8426.txt- traffic MUST NOT take the SR-dedicated RSVP-TE LSPs, unless required ../data/rfc/rfc8426.txt- by policy. ../data/rfc/rfc8426.txt- ../data/rfc/rfc8426.txt- The drawback of this solution is that it requires SR to rely on RSVP- ../data/rfc/rfc8426.txt: TE for deployment. Furthermore, the accounting accuracy/frequency of ../data/rfc/rfc8426.txt- this method is dependent on performance of auto-bandwidth for RSVP- ../data/rfc/rfc8426.txt- TE. Note that, for this method to work, the SR-dedicated RSVP-TE ../data/rfc/rfc8426.txt- LSPs must be set up with the best setup and hold priorities in the ../data/rfc/rfc8426.txt- network. ../data/rfc/rfc8426.txt- -- ../data/rfc/rfc7660.txt- does not provide specific actions when the flow(s) described by the ../data/rfc/rfc7660.txt- Filter-Rule are congested. ../data/rfc/rfc7660.txt- ../data/rfc/rfc7660.txt- Further, a Filter-Rule can describe multiple flows but not the exact ../data/rfc/rfc7660.txt- number of flows. Flow count and other associated data (e.g., ../data/rfc/rfc7660.txt: packets) are not captured by accounting applications, leaving ../data/rfc/rfc7660.txt- administrators without useful information regarding the effectiveness ../data/rfc/rfc7660.txt- or appropriateness of the filter definition. ../data/rfc/rfc7660.txt- ../data/rfc/rfc7660.txt- The optional attributes defined in this document are forward and ../data/rfc/rfc7660.txt- backwards compatible with RFC 5777. -- ../data/rfc/rfc7660.txt- RFC 5777. As these are extensions to RFC 5777, they do not raise new ../data/rfc/rfc7660.txt- security concerns. ../data/rfc/rfc7660.txt- ../data/rfc/rfc7660.txt- The Flow-Count and Packet-Count AVPs can be provided in conjunction ../data/rfc/rfc7660.txt- with customary AVPs, e.g., Bytes, Time, Service units, during ../data/rfc/rfc7660.txt: accounting activities as described in the base protocol [RFC6733] or ../data/rfc/rfc7660.txt- other Diameter applications. These new AVPs provide more information ../data/rfc/rfc7660.txt- that can be privacy sensitive. The privacy sensitivity is directly ../data/rfc/rfc7660.txt- related to traffic captured by filters and associated reports. ../data/rfc/rfc7660.txt- Narrow filtering, which creates the highest level of privacy ../data/rfc/rfc7660.txt- sensitivity, is too resource intensive to be widely applied on large -- ../data/rfc/rfc8907.txt- 5.4.2. Common Authentication Flows ../data/rfc/rfc8907.txt- 5.4.3. Aborting an Authentication Session ../data/rfc/rfc8907.txt- 6. Authorization ../data/rfc/rfc8907.txt- 6.1. The Authorization REQUEST Packet Body ../data/rfc/rfc8907.txt- 6.2. The Authorization REPLY Packet Body ../data/rfc/rfc8907.txt: 7. Accounting ../data/rfc/rfc8907.txt- 7.1. The Account REQUEST Packet Body ../data/rfc/rfc8907.txt: 7.2. The Accounting REPLY Packet Body ../data/rfc/rfc8907.txt- 8. Argument-Value Pairs ../data/rfc/rfc8907.txt- 8.1. Value Encoding ../data/rfc/rfc8907.txt- 8.2. Authorization Arguments ../data/rfc/rfc8907.txt: 8.3. Accounting Arguments ../data/rfc/rfc8907.txt- 9. Privilege Levels ../data/rfc/rfc8907.txt- 10. Security Considerations ../data/rfc/rfc8907.txt- 10.1. General Security of the Protocol ../data/rfc/rfc8907.txt- 10.2. Security of Authentication Sessions ../data/rfc/rfc8907.txt- 10.3. Security of Authorization Sessions ../data/rfc/rfc8907.txt: 10.4. Security of Accounting Sessions ../data/rfc/rfc8907.txt- 10.5. TACACS+ Best Practices ../data/rfc/rfc8907.txt- 10.5.1. Shared Secrets ../data/rfc/rfc8907.txt- 10.5.2. Connections and Obfuscation ../data/rfc/rfc8907.txt- 10.5.3. Authentication ../data/rfc/rfc8907.txt- 10.5.4. Authorization -- ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-1. Introduction ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- This document describes the Terminal Access Controller Access-Control ../data/rfc/rfc8907.txt- System Plus (TACACS+) protocol. It was conceived initially as a ../data/rfc/rfc8907.txt: general Authentication, Authorization, and Accounting (AAA) protocol. ../data/rfc/rfc8907.txt- It is widely deployed today but is mainly confined for a specific ../data/rfc/rfc8907.txt- subset of AAA called Device Administration, which includes ../data/rfc/rfc8907.txt- authenticating access to network devices, providing central ../data/rfc/rfc8907.txt- authorization of operations, and auditing of those operations. ../data/rfc/rfc8907.txt- -- ../data/rfc/rfc8907.txt- future development features, and it uses TCP to ensure reliable ../data/rfc/rfc8907.txt- delivery. The protocol allows the TACACS+ client to request fine- ../data/rfc/rfc8907.txt- grained access control and allows the server to respond to each ../data/rfc/rfc8907.txt- component of that request. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: The separation of authentication, authorization, and accounting is a ../data/rfc/rfc8907.txt- key element of the design of TACACS+ protocol. Essentially, it makes ../data/rfc/rfc8907.txt- TACACS+ a suite of three protocols. This document will address each ../data/rfc/rfc8907.txt- one in separate sections. Although TACACS+ defines all three, an ../data/rfc/rfc8907.txt- implementation or deployment is not required to employ all three. ../data/rfc/rfc8907.txt- Separating the elements is useful for the Device Administration use ../data/rfc/rfc8907.txt: case, specifically, for authorization and accounting of individual ../data/rfc/rfc8907.txt- commands in a session. Note that there is no provision made at the ../data/rfc/rfc8907.txt- protocol level to associate authentication requests with ../data/rfc/rfc8907.txt- authorization requests. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-2. Conventions -- ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-3.5. Session ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The concept of a session is used throughout this document. A TACACS+ ../data/rfc/rfc8907.txt- session is a single authentication sequence, a single authorization ../data/rfc/rfc8907.txt: exchange, or a single accounting exchange. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: An accounting and authorization session will consist of a single pair ../data/rfc/rfc8907.txt- of packets (the request and its reply). An authentication session ../data/rfc/rfc8907.txt- may involve an arbitrary number of packets being exchanged. The ../data/rfc/rfc8907.txt- session is an operational concept that is maintained between the ../data/rfc/rfc8907.txt- TACACS+ client and server. It does not necessarily correspond to a ../data/rfc/rfc8907.txt- given user or user action. -- ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- TAC_PLUS_AUTHEN := 0x01 (Authentication) ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- TAC_PLUS_AUTHOR := 0x02 (Authorization) ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: TAC_PLUS_ACCT := 0x03 (Accounting) ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- seq_no ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- This is the sequence number of the current packet. The first ../data/rfc/rfc8907.txt- packet in a session MUST have the sequence number 1, and each -- ../data/rfc/rfc8907.txt- Connection Mode when it initiates the next session. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-4.4. Session Completion ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The REPLY packets defined for the packet types in the sections below ../data/rfc/rfc8907.txt: (Authentication, Authorization, and Accounting) contain a status ../data/rfc/rfc8907.txt- field. The complete set of options for this field depend upon the ../data/rfc/rfc8907.txt- packet type, but all three REPLY packet types define values ../data/rfc/rfc8907.txt- representing PASS, ERROR, and FAIL, which indicate the last packet of ../data/rfc/rfc8907.txt- a regular session (one that is not aborted). ../data/rfc/rfc8907.txt- -- ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- Table 1: TACACS+ Protocol Versioning ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The '-' symbol represents that the option is not valid. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: All authorization and accounting and ASCII authentication use ../data/rfc/rfc8907.txt- minor_version 0. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- PAP, CHAP, and MS-CHAP login use minor_version 1. The normal ../data/rfc/rfc8907.txt- exchange is a single START packet from the client and a single REPLY ../data/rfc/rfc8907.txt- from the server. -- ../data/rfc/rfc8907.txt- This field corresponds to the authen_type field in ../data/rfc/rfc8907.txt- "Authentication" (Section 5). It indicates the type of ../data/rfc/rfc8907.txt- authentication that was performed. If this information is not ../data/rfc/rfc8907.txt- available, then the client will set authen_type to ../data/rfc/rfc8907.txt- TAC_PLUS_AUTHEN_TYPE_NOT_SET := 0x00. This value is valid only in ../data/rfc/rfc8907.txt: authorization and accounting requests. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- authen_service ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- This field is the same as the authen_service field in ../data/rfc/rfc8907.txt- "Authentication" (Section 5). It indicates the service through -- ../data/rfc/rfc8907.txt- "Authorization Arguments" (Section 8.2). Each argument is encoded ../data/rfc/rfc8907.txt- in the packet as a single arg field (arg_1... arg_N) with a ../data/rfc/rfc8907.txt- corresponding length field (which indicates the length of each ../data/rfc/rfc8907.txt- argument in bytes). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt:7. Accounting ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: Accounting is typically the third action after authentication and ../data/rfc/rfc8907.txt- authorization. But again, neither authentication nor authorization ../data/rfc/rfc8907.txt: is required. Accounting is the action of recording what a user is ../data/rfc/rfc8907.txt: doing and/or has done. Accounting in TACACS+ can serve two purposes: ../data/rfc/rfc8907.txt- it may be used as an auditing tool for security services, and it may ../data/rfc/rfc8907.txt- also be used to account for services used such as in a billing ../data/rfc/rfc8907.txt: environment. To this end, TACACS+ supports three types of accounting ../data/rfc/rfc8907.txt- records: Start records indicate that a service is about to begin, ../data/rfc/rfc8907.txt- Stop records indicate that a service has just terminated, and Update ../data/rfc/rfc8907.txt- records are intermediate notices that indicate that a service is ../data/rfc/rfc8907.txt: still being performed. TACACS+ accounting records contain all the ../data/rfc/rfc8907.txt- information used in the authorization records and also contain ../data/rfc/rfc8907.txt: accounting-specific information such as start and stop times (when ../data/rfc/rfc8907.txt: appropriate) and resource usage information. A list of accounting ../data/rfc/rfc8907.txt: arguments is defined in "Accounting Arguments" (Section 8.3). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-7.1. The Account REQUEST Packet Body ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 ../data/rfc/rfc8907.txt- +----------------+----------------+----------------+----------------+ -- ../data/rfc/rfc8907.txt- TAC_PLUS_ACCT_FLAG_WATCHDOG := 0x08 ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- All other fields are defined in "Authentication" (Section 5) and ../data/rfc/rfc8907.txt- "Authorization" (Section 6) and have the same semantics. They ../data/rfc/rfc8907.txt- provide details for the conditions on the client, and authentication ../data/rfc/rfc8907.txt: context, so that these details may be logged for accounting purposes. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: See "Accounting Arguments" (Section 8.3) for the dictionary of ../data/rfc/rfc8907.txt: arguments relevant to accounting. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt:7.2. The Accounting REPLY Packet Body ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: The purpose of accounting is to record the action that has occurred ../data/rfc/rfc8907.txt- on the client. The server MUST reply with success only when the ../data/rfc/rfc8907.txt: accounting request has been recorded. If the server did not record ../data/rfc/rfc8907.txt: the accounting request, then it MUST reply with ERROR. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 ../data/rfc/rfc8907.txt- +----------------+----------------+----------------+----------------+ ../data/rfc/rfc8907.txt- | server_msg len | data_len | ../data/rfc/rfc8907.txt- +----------------+----------------+----------------+----------------+ -- ../data/rfc/rfc8907.txt- display, console, or log. The decision to present this message is ../data/rfc/rfc8907.txt- client specific. The data_len indicates the length of the data ../data/rfc/rfc8907.txt- field, in bytes. For details of text encoding, see "Treatment of ../data/rfc/rfc8907.txt- Text Strings" (Section 3.7). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: TACACS+ accounting is intended to record various types of events on ../data/rfc/rfc8907.txt- clients, for example: login sessions, command entry, and others as ../data/rfc/rfc8907.txt- required by the client implementation. These events are collectively ../data/rfc/rfc8907.txt- referred to in "The Draft" [THE-DRAFT] as "tasks". ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start ../data/rfc/rfc8907.txt: accounting message. Start messages will only be sent once when a ../data/rfc/rfc8907.txt- task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is ../data/rfc/rfc8907.txt- a stop record and that the task has terminated. The ../data/rfc/rfc8907.txt- TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- +==========+======+=======+=============+=========================+ ../data/rfc/rfc8907.txt- | Watchdog | Stop | Start | Flags & 0xE | Meaning | ../data/rfc/rfc8907.txt- +==========+======+=======+=============+=========================+ ../data/rfc/rfc8907.txt- | 0 | 0 | 0 | 0 | INVALID | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt: | 0 | 0 | 1 | 2 | Start Accounting Record | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt: | 0 | 1 | 0 | 4 | Stop Accounting Record | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt- | 0 | 1 | 1 | 6 | INVALID | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt- | 1 | 0 | 0 | 8 | Watchdog, no update | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ -- ../data/rfc/rfc8907.txt- | 1 | 1 | 0 | C | INVALID | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt- | 1 | 1 | 1 | E | INVALID | ../data/rfc/rfc8907.txt- +----------+------+-------+-------------+-------------------------+ ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: Table 2: Summary of Accounting Packets ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The START and STOP flags are mutually exclusive. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The WATCHDOG flag is used by the client to communicate ongoing status ../data/rfc/rfc8907.txt- of a long-running task. Update records are sent at the client's -- ../data/rfc/rfc8907.txt- requests an INVALID option. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-8. Argument-Value Pairs ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- TACACS+ is intended to be an extensible protocol. The arguments used ../data/rfc/rfc8907.txt: in Authorization and Accounting are not limited by this document. ../data/rfc/rfc8907.txt- Some arguments are defined below for common use cases. Clients MUST ../data/rfc/rfc8907.txt- use these arguments when supporting the corresponding use cases. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-8.1. Value Encoding ../data/rfc/rfc8907.txt- -- ../data/rfc/rfc8907.txt-8.2. Authorization Arguments ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- service (String) ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The primary service. Specifying a service argument indicates that ../data/rfc/rfc8907.txt: this is a request for authorization or accounting of that service. ../data/rfc/rfc8907.txt- For example: "shell", "tty-server", "connection", "system" and ../data/rfc/rfc8907.txt- "firewall"; others may be chosen for the required application. ../data/rfc/rfc8907.txt- This argument MUST always be included. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- protocol (String) -- ../data/rfc/rfc8907.txt- priv-lvl (Numeric) ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- The privilege level to be assigned. Please refer to "Privilege ../data/rfc/rfc8907.txt- Levels" (Section 9). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt:8.3. Accounting Arguments ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: The following arguments are defined for TACACS+ accounting only. ../data/rfc/rfc8907.txt- They MUST precede any argument-value pairs that are defined in ../data/rfc/rfc8907.txt- "Authorization" (Section 6). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- task_id (String) ../data/rfc/rfc8907.txt- -- ../data/rfc/rfc8907.txt- encoding, see "Treatment of Text Strings" (Section 3.7). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- Where the TACACS+ deployment is used to support the Device ../data/rfc/rfc8907.txt- Administration use case, it is often required to log all commands ../data/rfc/rfc8907.txt- entered into client devices. To support this mode of operation, ../data/rfc/rfc8907.txt: TACACS+ client devices MUST be configured to send an accounting start ../data/rfc/rfc8907.txt- packet for every command entered, irrespective of how the commands ../data/rfc/rfc8907.txt: were authorized. These "Command Accounting" packets MUST include the ../data/rfc/rfc8907.txt- "service" and "cmd" arguments, and if needed, the "cmd-arg" arguments ../data/rfc/rfc8907.txt- detailed in Section 8.2. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-9. Privilege Levels ../data/rfc/rfc8907.txt- -- ../data/rfc/rfc8907.txt- "The Draft" [THE-DRAFT] from 1998 did not address all of the key ../data/rfc/rfc8907.txt- security concerns that are considered when designing modern ../data/rfc/rfc8907.txt- standards. This section addresses known limitations and concerns ../data/rfc/rfc8907.txt- that will impact overall security of the protocol and systems where ../data/rfc/rfc8907.txt- this protocol is deployed to manage central authentication, ../data/rfc/rfc8907.txt: authorization, or accounting for network Device Administration. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- Multiple implementations of the protocol described in "The Draft" ../data/rfc/rfc8907.txt- [THE-DRAFT] have been deployed. As the protocol was never ../data/rfc/rfc8907.txt- standardized, current implementations may be incompatible in non- ../data/rfc/rfc8907.txt- obvious ways, giving rise to additional security risks. This section -- ../data/rfc/rfc8907.txt- provide no meaningful integrity, privacy, or replay protection. An ../data/rfc/rfc8907.txt- attacker with access to the data stream should be assumed to be able ../data/rfc/rfc8907.txt- to read and modify all TACACS+ packets. Without mitigation, a range ../data/rfc/rfc8907.txt- of risks such as the following are possible: ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: * Accounting information may be modified by the man-in-the-middle ../data/rfc/rfc8907.txt- attacker, making such logs unsuitable and not trustable for ../data/rfc/rfc8907.txt- auditing purposes. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- * Invalid or misleading values may be inserted by the man-in-the- ../data/rfc/rfc8907.txt- middle attacker in various fields at known offsets to try and -- ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- * In combination with known plaintext, the attacker can determine ../data/rfc/rfc8907.txt- with certainty the value of the crypto-pad octet used to obfuscate ../data/rfc/rfc8907.txt- the original octet. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt:10.4. Security of Accounting Sessions ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: Accounting sessions SHOULD be used via a secure transport (see ../data/rfc/rfc8907.txt: "TACACS+ Best Practices" (Section 10.5)). Although Accounting ../data/rfc/rfc8907.txt- sessions are not directly involved in authentication or authorizing ../data/rfc/rfc8907.txt- operations on the device, man-in-the-middle attackers may do any of ../data/rfc/rfc8907.txt- the following: ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: * Replace accounting data with new valid values or garbage that can ../data/rfc/rfc8907.txt- confuse auditors or hide information related to their ../data/rfc/rfc8907.txt- authentication and/or authorization attack attempts. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: * Try and poison an accounting log with entries designed to make ../data/rfc/rfc8907.txt- systems behave in unintended ways (these systems could be TACACS+ ../data/rfc/rfc8907.txt: servers and any other systems that would manage accounting ../data/rfc/rfc8907.txt- entries). ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt- In addition to these direct manipulations, different client ../data/rfc/rfc8907.txt: implementations pass a different fidelity of accounting data. Some ../data/rfc/rfc8907.txt- vendors have been observed in the wild that pass sensitive data like ../data/rfc/rfc8907.txt: passwords, encryption keys, and the like as part of the accounting ../data/rfc/rfc8907.txt- log. Due to a lack of strong encryption with perfect forward ../data/rfc/rfc8907.txt- secrecy, this data may be revealed in the future, leading to a ../data/rfc/rfc8907.txt- security incident. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-10.5. TACACS+ Best Practices -- ../data/rfc/rfc8907.txt- disabled and MUST warn the administrator that these options are not ../data/rfc/rfc8907.txt- secure. ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt-10.5.4. Authorization ../data/rfc/rfc8907.txt- ../data/rfc/rfc8907.txt: The authorization and accounting features are intended to provide ../data/rfc/rfc8907.txt- extensibility and flexibility. There is a base dictionary defined in ../data/rfc/rfc8907.txt- this document, but it may be extended in deployments by using new ../data/rfc/rfc8907.txt- argument names. The cost of the flexibility is that administrators ../data/rfc/rfc8907.txt- and implementers MUST ensure that the argument and value pairs shared ../data/rfc/rfc8907.txt- between the clients and servers have consistent interpretation. -- ../data/rfc/rfc7056.txt- ../data/rfc/rfc7056.txt- The naming extensions to the Generic Security Service Application ../data/rfc/rfc7056.txt- Programming Interface (GSS-API) provide a mechanism for applications ../data/rfc/rfc7056.txt- to discover authorization and personalization information associated ../data/rfc/rfc7056.txt- with GSS-API names. The Extensible Authentication Protocol GSS-API ../data/rfc/rfc7056.txt: mechanism allows an Authentication, Authorization, and Accounting ../data/rfc/rfc7056.txt- (AAA) peer to provide authorization attributes alongside an ../data/rfc/rfc7056.txt- authentication response. It also supplies mechanisms to process ../data/rfc/rfc7056.txt- Security Assertion Markup Language (SAML) messages provided in the ../data/rfc/rfc7056.txt- AAA response. This document describes how to use the Naming ../data/rfc/rfc7056.txt- Extensions API to access that information. -- ../data/rfc/rfc7056.txt- The naming extensions [RFC6680] to the Generic Security Service ../data/rfc/rfc7056.txt- Application Programming Interface (GSS-API) [RFC2743] provide a ../data/rfc/rfc7056.txt- mechanism for applications to discover authorization and ../data/rfc/rfc7056.txt- personalization information associated with GSS-API names. The ../data/rfc/rfc7056.txt- Extensible Authentication Protocol GSS-API mechanism [RFC7055] allows ../data/rfc/rfc7056.txt: an Authentication, Authorization, and Accounting (AAA) peer to ../data/rfc/rfc7056.txt- provide authorization attributes alongside an authentication ../data/rfc/rfc7056.txt- response. It also supplies mechanisms to process Security Assertion ../data/rfc/rfc7056.txt- Markup Language (SAML) messages provided in the AAA response. Other ../data/rfc/rfc7056.txt- mechanisms such as SAML Enhanced Client (EC) [SASL-SAML] also support ../data/rfc/rfc7056.txt- SAML assertions and attributes carried in the GSS-API. This document -- ../data/rfc/rfc6467.txt- ../data/rfc/rfc6467.txt- The secure password methods are not usually meant to be used in the ../data/rfc/rfc6467.txt- normal end user (remote access VPN) cases. In such cases, EAP-based ../data/rfc/rfc6467.txt- authentication works fine, and the asymmetric nature of EAP does not ../data/rfc/rfc6467.txt- matter. In such scenarios, the authentication is usually backed up ../data/rfc/rfc6467.txt: with the back-end Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6467.txt- servers and other infrastructure. That is, in such scenarios, ../data/rfc/rfc6467.txt- neither of the IKEv2 peers really knows the secret, as on one end it ../data/rfc/rfc6467.txt- is typed in by the user when it is needed, and on the other end it is ../data/rfc/rfc6467.txt- authenticated by the back-end AAA server. ../data/rfc/rfc6467.txt- -- ../data/rfc/rfc1689.txt- Program priorities are 1) to facilitate a consistent and complete ../data/rfc/rfc1689.txt- mechanism for linking bibliographic, abstracting, and indexing files ../data/rfc/rfc1689.txt- to files of their associated source materials; 2) a single standard ../data/rfc/rfc1689.txt- for the transmission of bitmapped image files; 3) protocols for ../data/rfc/rfc1689.txt- handling networked requests for delivery of source materials; 4) ../data/rfc/rfc1689.txt: mechanisms for interorganizational authentication, accounting, and ../data/rfc/rfc1689.txt- billing; and 5) to integrate lessons drawn from the experience of ../data/rfc/rfc1689.txt- pilot projects that exercise networked printing utilities and 6) to ../data/rfc/rfc1689.txt- provide an "interoperability workshop" to specify, implement, and ../data/rfc/rfc1689.txt- test advanced functions of Z39.50 to accelerate the pace and to ../data/rfc/rfc1689.txt- ensure the quality of standardization efforts in this area. -- ../data/rfc/rfc1689.txt- Program priorities are 1) to facilitate a consistent and complete ../data/rfc/rfc1689.txt- mechanism for linking bibliographic, abstracting, and indexing files ../data/rfc/rfc1689.txt- to files of their associated source materials; 2) a single standard ../data/rfc/rfc1689.txt- for the transmission of bitmapped image files; 3) protocols for ../data/rfc/rfc1689.txt- handing networked requests for delivery of source materials; 4) ../data/rfc/rfc1689.txt: mechanisms for interorganizational authentication, accounting, and ../data/rfc/rfc1689.txt- billing; and 5) to integrate lessons drawn from the experience of ../data/rfc/rfc1689.txt- pilot projects that exercise networked printing utilities and 6) to ../data/rfc/rfc1689.txt- provide an "interoperability workshop" to specify, implement, and test ../data/rfc/rfc1689.txt- advanced functions of Z39.50 to accelerate the pace and to ensure the ../data/rfc/rfc1689.txt- quality of standardization efforts in this area. -- ../data/rfc/rfc7336.txt- environment (without CDNI), the CSP places a degree of trust in a ../data/rfc/rfc7336.txt- single CDN operator to perform many functions. The CDN is trusted to ../data/rfc/rfc7336.txt- deliver content with appropriate quality of experience for the end ../data/rfc/rfc7336.txt- user. The CSP trusts the CDN operator not to corrupt or modify the ../data/rfc/rfc7336.txt- content. The CSP often relies on the CDN operator to provide ../data/rfc/rfc7336.txt: reliable accounting information regarding the volume of delivered ../data/rfc/rfc7336.txt- content. The CSP may also trust the CDN operator to perform actions ../data/rfc/rfc7336.txt- such as timely invalidation of content and restriction of access to ../data/rfc/rfc7336.txt- content based on certain criteria such as location of the user and ../data/rfc/rfc7336.txt- time of day, and to enforce per-request authorization performed by ../data/rfc/rfc7336.txt- the CSP using techniques such as URI signing. -- ../data/rfc/rfc7336.txt- CSP will in some cases take steps to protect its content from ../data/rfc/rfc7336.txt- improper distribution by a CDN, e.g., by encrypting it and ../data/rfc/rfc7336.txt- distributing keys in some out of band way. A CSP also depends on ../data/rfc/rfc7336.txt- monitoring (possibly by third parties) and reporting to verify that ../data/rfc/rfc7336.txt- the CDN has performed adequately. A CSP may use techniques such as ../data/rfc/rfc7336.txt: client-based metering to verify that accounting information provided ../data/rfc/rfc7336.txt- by the CDN is reliable. HTTP conditional requests may be used to ../data/rfc/rfc7336.txt- provide the CSP with some checks on CDN operation. In other words, ../data/rfc/rfc7336.txt- while a CSP may trust a CDN to perform some functions in the short ../data/rfc/rfc7336.txt- term, the CSP is able, in most cases, to verify whether these actions ../data/rfc/rfc7336.txt- have been performed correctly and to take action (such as moving the -- ../data/rfc/rfc8157.txt- ../data/rfc/rfc8157.txt- CIR: Committed Information Rate [RFC2697]. ../data/rfc/rfc8157.txt- ../data/rfc/rfc8157.txt- RTT: Round-Trip Time. ../data/rfc/rfc8157.txt- ../data/rfc/rfc8157.txt: AAA: Authentication, Authorization, and Accounting [RFC6733]. ../data/rfc/rfc8157.txt- ../data/rfc/rfc8157.txt- SOAP: Simple Object Access Protocol. A protocol specification for ../data/rfc/rfc8157.txt- exchanging structured information in the implementation of web ../data/rfc/rfc8157.txt- services in computer networks. ../data/rfc/rfc8157.txt- -- ../data/rfc/rfc4110.txt- that is not going to or coming from those sites. ../data/rfc/rfc4110.txt- ../data/rfc/rfc4110.txt- Virtual Router (VR): An instance of one of a number of logical ../data/rfc/rfc4110.txt- routers located within a single physical router. Each logical router ../data/rfc/rfc4110.txt- emulates a physical router using existing mechanisms and tools for ../data/rfc/rfc4110.txt: configuration, operation, accounting, and maintenance. ../data/rfc/rfc4110.txt- ../data/rfc/rfc4110.txt- VPN Forwarding Instance (VFI): A logical entity that resides in a PE ../data/rfc/rfc4110.txt- that includes the router information base and forwarding information ../data/rfc/rfc4110.txt- base for a VPN. ../data/rfc/rfc4110.txt- -- ../data/rfc/rfc4110.txt- for using a partial mesh topology is to reduce the number of tunnels ../data/rfc/rfc4110.txt- a VPN edge device, and/or the network, needs to support. Another ../data/rfc/rfc4110.txt- reason is to support the scenario where an administrator requires all ../data/rfc/rfc4110.txt- traffic from certain sites to traverse some particular site for ../data/rfc/rfc4110.txt- policy or control reasons, such as to force traffic through a ../data/rfc/rfc4110.txt: firewall, or for monitoring or accounting purposes. Note that the ../data/rfc/rfc4110.txt- topologies used for each VPN are separate, and thus the same VPN edge ../data/rfc/rfc4110.txt- device may be part of a full mesh topology for one VPN, and of a ../data/rfc/rfc4110.txt- partial mesh topology for another VPN. ../data/rfc/rfc4110.txt- ../data/rfc/rfc4110.txt- An example of where a partial mesh topology could be suitable is for -- ../data/rfc/rfc4044.txt- ../data/rfc/rfc4044.txt-13. Comparison to RFC 2837 ../data/rfc/rfc4044.txt- ../data/rfc/rfc4044.txt- This MIB is a superset of RFC 2837, except for the following: ../data/rfc/rfc4044.txt- ../data/rfc/rfc4044.txt: - the fcFeClass1AccountingGroup group is obsolete, ../data/rfc/rfc4044.txt- ../data/rfc/rfc4044.txt- - fcFxPortConnectedNxPort, fcFxPortFcphVersionHigh, ../data/rfc/rfc4044.txt- fcFxPortFcphVersionLow, fcFxPortFcphVersionAgreed, ../data/rfc/rfc4044.txt- fcFxPortStackedConnModeAgreed, fcFxPortIntermixSuppAgreed, ../data/rfc/rfc4044.txt- fcFxPortCapStackedConnMode, and fcFxPortCapIntermix are obsolete, -- ../data/rfc/rfc6043.txt- | OR (selection operator) ../data/rfc/rfc6043.txt- ../data/rfc/rfc6043.txt-2.2. Abbreviations ../data/rfc/rfc6043.txt- ../data/rfc/rfc6043.txt- 3GPP: 3rd Generation Partnership Project ../data/rfc/rfc6043.txt: AAA: Authentication, Authorization, and Accounting ../data/rfc/rfc6043.txt- ACL: Access Control List ../data/rfc/rfc6043.txt- AES: Advanced Encryption Standard ../data/rfc/rfc6043.txt- CA: Certification Authority ../data/rfc/rfc6043.txt- CS: Crypto Session ../data/rfc/rfc6043.txt- CSB: Crypto Session Bundle -- ../data/rfc/rfc6043.txt- At the same time, it is also important to be aware that (centralized) ../data/rfc/rfc6043.txt- key management services may introduce a single point of (security) ../data/rfc/rfc6043.txt- failure. The security requirements on the implementation and ../data/rfc/rfc6043.txt- protection of the KMS may therefore, in high-security applications, ../data/rfc/rfc6043.txt- be more or less equivalent to the requirements of an AAA ../data/rfc/rfc6043.txt: (Authentication, Authorization, and Accounting) server or a ../data/rfc/rfc6043.txt- Certification Authority (CA). ../data/rfc/rfc6043.txt- ../data/rfc/rfc6043.txt-4. MIKEY-TICKET ../data/rfc/rfc6043.txt- ../data/rfc/rfc6043.txt-4.1. Overview -- ../data/rfc/rfc5419.txt- MN and HA. So the alternate solution is in addition to the IPsec- ../data/rfc/rfc5419.txt- based mechanism specified in the base RFCs, i.e., [RFC3775], ../data/rfc/rfc5419.txt- [RFC3776], and [RFC4877]. It has been noted that some of the ../data/rfc/rfc5419.txt- challenges of deploying MIPv6 in certain types of networks arose from ../data/rfc/rfc5419.txt- dependence on the Internet Key Exchange (IKE), which did not ../data/rfc/rfc5419.txt: integrate well with an Authentication, Authorization, and Accounting ../data/rfc/rfc5419.txt- (AAA) backend infrastructure. IKEv2 solves this problem. However, ../data/rfc/rfc5419.txt- at the time of discussion on the need for the authentication ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- -- ../data/rfc/rfc5419.txt- WiMAX networks. CDMA2000 networks are currently deployed in many ../data/rfc/rfc5419.txt- countries today. WiMAX deployments in many countries began in 2008. ../data/rfc/rfc5419.txt- The packet data network architecture of CDMA2000 [3GPP2 ../data/rfc/rfc5419.txt- X.S0011-002-D] includes a MIPv4 foreign agent/home agent and a ../data/rfc/rfc5419.txt- RADIUS-based AAA infrastructure for Authentication, Authorization, ../data/rfc/rfc5419.txt: and Accounting purposes. The AAA infrastructure provides ../data/rfc/rfc5419.txt- authentication capability in the case of Mobile IPv4. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- Typically, the mobile node shares a security association with the ../data/rfc/rfc5419.txt- AAA-Home entity. This is the preferred mode of operation over having ../data/rfc/rfc5419.txt- a shared secret between the MN and HA because the AAA-Home entity -- ../data/rfc/rfc5419.txt- of attachment. While route optimization negates the benefit of ../data/rfc/rfc5419.txt- having a home agent on a link close to the MN, it cannot always be ../data/rfc/rfc5419.txt- guaranteed that the MN and correspondent node (CN) will use or ../data/rfc/rfc5419.txt- support route optimization. There may also be instances where the ../data/rfc/rfc5419.txt- operator prefers to not allow route optimization for various reasons, ../data/rfc/rfc5419.txt: such as accounting aggregation or enforcing service contracts. In ../data/rfc/rfc5419.txt- such cases, an HA that is close to the MN's point of attachment ../data/rfc/rfc5419.txt- reduces the issues of latency, etc. of forward and reverse tunnelling ../data/rfc/rfc5419.txt- of packets between the MN and HA. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- CDMA2000 networks that are operational today have large numbers of -- ../data/rfc/rfc5419.txt- - Authenticating signaling messages other than BU/BAck ../data/rfc/rfc5419.txt- between the MN and HA, such as ICMPv6, MLD, and DHCPv6. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- - Enforcing access control to the network behind the HA. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt: - Accounting or other flow-specific processing performed by ../data/rfc/rfc5419.txt- the HA. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- This means the authentication option is of limited ../data/rfc/rfc5419.txt- applicability in environments where the HA can receive ../data/rfc/rfc5419.txt- reverse-tunneled packets with spoofed source IP addresses -- ../data/rfc/rfc5419.txt- [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. ../data/rfc/rfc5419.txt- Soliman, "Neighbor Discovery for IP version 6 ../data/rfc/rfc5419.txt- (IPv6)", RFC 4861, September 2007. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- [RFC3957] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc5419.txt: Authorization, and Accounting (AAA) ../data/rfc/rfc5419.txt- Registration Keys for Mobile IPv4", RFC 3957, ../data/rfc/rfc5419.txt- March 2005. ../data/rfc/rfc5419.txt- ../data/rfc/rfc5419.txt- [RFC4285] Patel, A., Leung, K., Khalil, M., Akhtar, H., ../data/rfc/rfc5419.txt- and K. Chowdhury, "Authentication Protocol for -- ../data/rfc/rfc8802.txt- * A BEGIN message has been received by the server. The pre-existing ../data/rfc/rfc8802.txt- Q4S quality session is canceled, and a new session will be ../data/rfc/rfc8802.txt- initiated. ../data/rfc/rfc8802.txt- ../data/rfc/rfc8802.txt- The meaning of the Termination phase in terms of the release of ../data/rfc/rfc8802.txt: resources or accounting is application dependent and out of scope of ../data/rfc/rfc8802.txt- the Q4S protocol. ../data/rfc/rfc8802.txt- ../data/rfc/rfc8802.txt- In the Reactive alerting mode, Q4S CANCEL messages received by the ../data/rfc/rfc8802.txt- Q4S server must cause the server stack to send cancel notifications ../data/rfc/rfc8802.txt- to the Actuator in order to release possible assigned resources for -- ../data/rfc/rfc7589.txt- used to issue certificates for other purposes, then all certificates ../data/rfc/rfc7589.txt- created for other purposes will be accepted by a NETCONF server as ../data/rfc/rfc7589.txt- well, which is likely not suitable. ../data/rfc/rfc7589.txt- ../data/rfc/rfc7589.txt- This document does not support third-party authentication (e.g., ../data/rfc/rfc7589.txt: backend Authentication, Authorization, and Accounting (AAA) servers) ../data/rfc/rfc7589.txt- due to the fact that TLS does not specify this way of authentication ../data/rfc/rfc7589.txt- and that NETCONF depends on the transport protocol for the ../data/rfc/rfc7589.txt- authentication service. If third-party authentication is needed, the ../data/rfc/rfc7589.txt- Secure Shell (SSH) transport [RFC6242] can be used. ../data/rfc/rfc7589.txt- -- ../data/rfc/rfc3573.txt- others. ../data/rfc/rfc3573.txt- ../data/rfc/rfc3573.txt- * Temporarily stop polling protocols such as LCP Echo Requests, Link ../data/rfc/rfc3573.txt- Quality Monitoring (LQM), Multilink PPP (MP), etc. ../data/rfc/rfc3573.txt- * Drop data packets directed to the now on-hold remote client. ../data/rfc/rfc3573.txt: * Start a new accounting session, to account for the on-hold time. ../data/rfc/rfc3573.txt: * Stop or hold accounting until the modem returns online again. ../data/rfc/rfc3573.txt: * Start a separate time accounting for the time that the modem is on ../data/rfc/rfc3573.txt- hold. ../data/rfc/rfc3573.txt- ../data/rfc/rfc3573.txt- Here are a few things that an LNS should probably NOT do: ../data/rfc/rfc3573.txt- ../data/rfc/rfc3573.txt- * Buffer data packets directed to the now on-hold remote client. -- ../data/rfc/rfc3076.txt-RFC 3076 Canonical XML March 2001 ../data/rfc/rfc3076.txt- ../data/rfc/rfc3076.txt- ../data/rfc/rfc3076.txt- whitespace and equivalent data (e.g., <color>black</color> versus ../data/rfc/rfc3076.txt- <color>rgb(0,0,0)</color>). There are also equivalencies established ../data/rfc/rfc3076.txt: by other W3C Recommendations and Working Drafts. Accounting for ../data/rfc/rfc3076.txt- these additional equivalence rules is beyond the scope of this work. ../data/rfc/rfc3076.txt- They can be applied by the application or become the subject of ../data/rfc/rfc3076.txt- future specifications. ../data/rfc/rfc3076.txt- ../data/rfc/rfc3076.txt- The canonical form of an XML document may not be completely -- ../data/rfc/rfc3290.txt-3.1.2. Configuration and Management Interface ../data/rfc/rfc3290.txt- ../data/rfc/rfc3290.txt- Diffserv operating parameters are monitored and provisioned through ../data/rfc/rfc3290.txt- this interface. Monitored parameters include statistics regarding ../data/rfc/rfc3290.txt- traffic carried at various Diffserv service levels. These statistics ../data/rfc/rfc3290.txt: may be important for accounting purposes and/or for tracking ../data/rfc/rfc3290.txt- compliance to Traffic Conditioning Specifications (TCSs) negotiated ../data/rfc/rfc3290.txt- with customers. Provisioned parameters are primarily the TCS ../data/rfc/rfc3290.txt- parameters for Classifiers and Meters and the associated PHB ../data/rfc/rfc3290.txt- configuration parameters for Actions and Queuing elements. The ../data/rfc/rfc3290.txt- network administrator interacts with the Diffserv configuration and -- ../data/rfc/rfc4097.txt- Diameter is designed to support AAA for network access. It is meant ../data/rfc/rfc4097.txt- to operate through networks of Diameter nodes, which both act upon ../data/rfc/rfc4097.txt- and route messages toward their final destinations. Endpoints are ../data/rfc/rfc4097.txt- characterized as either clients, which perform network access ../data/rfc/rfc4097.txt- control, or servers, which handle authentication, authorization and ../data/rfc/rfc4097.txt: accounting requests for a particular realm. Intermediate nodes ../data/rfc/rfc4097.txt- perform relay, proxy, redirect, and translation services. Design ../data/rfc/rfc4097.txt- ../data/rfc/rfc4097.txt- ../data/rfc/rfc4097.txt- ../data/rfc/rfc4097.txt-Barnes Informational [Page 8] -- ../data/rfc/rfc2635.txt-Hambridge & Lunde Informational [Page 1] ../data/rfc/rfc2635.txt- ../data/rfc/rfc2635.txt-RFC 2635 DON'T SPEW June 1999 ../data/rfc/rfc2635.txt- ../data/rfc/rfc2635.txt- ../data/rfc/rfc2635.txt: driver code on the Internet. There is no end-to-end cost accounting ../data/rfc/rfc2635.txt- and/or cost recovery. Bandwidth is shared among all traffic without ../data/rfc/rfc2635.txt- resource reservation (although this is changing). ../data/rfc/rfc2635.txt- ../data/rfc/rfc2635.txt- Unfortunately for all of us, the culture so carefully nurtured ../data/rfc/rfc2635.txt- through the early years of the Internet was not fully transferred to -- ../data/rfc/rfc6550.txt-18. Manageability Considerations ../data/rfc/rfc6550.txt- ../data/rfc/rfc6550.txt- The aim of this section is to give consideration to the manageability ../data/rfc/rfc6550.txt- of RPL, and how RPL will be operated in an LLN. The scope of this ../data/rfc/rfc6550.txt- section is to consider the following aspects of manageability: ../data/rfc/rfc6550.txt: configuration, monitoring, fault management, accounting, and ../data/rfc/rfc6550.txt- performance of the protocol in light of the recommendations set forth ../data/rfc/rfc6550.txt- in [RFC5706]. ../data/rfc/rfc6550.txt- ../data/rfc/rfc6550.txt- ../data/rfc/rfc6550.txt- -- ../data/rfc/rfc7298.txt- ../data/rfc/rfc7298.txt-RFC 7298 Babel HMAC Cryptographic Authentication July 2014 ../data/rfc/rfc7298.txt- ../data/rfc/rfc7298.txt- ../data/rfc/rfc7298.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc7298.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc7298.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc7298.txt- ../data/rfc/rfc7298.txt- [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. ../data/rfc/rfc7298.txt- Aboba, "Dynamic Authorization Extensions to Remote ../data/rfc/rfc7298.txt- Authentication Dial In User Service (RADIUS)", RFC 5176, -- ../data/rfc/rfc1686.txt- 3.7 Flows and resource reservation ........................... 8 ../data/rfc/rfc1686.txt- 3.8 Policy based routing ..................................... 10 ../data/rfc/rfc1686.txt- 3.9 Topological flexibility .................................. 10 ../data/rfc/rfc1686.txt- 3.10 Applicability ............................................ 10 ../data/rfc/rfc1686.txt- 3.11 Datagram service ......................................... 11 ../data/rfc/rfc1686.txt: 3.12 Accounting ............................................... 11 ../data/rfc/rfc1686.txt- 3.13 Support of communication media ........................... 12 ../data/rfc/rfc1686.txt- 3.14 Robustness and fault tolerance ........................... 12 ../data/rfc/rfc1686.txt- 3.15 Technology pull .......................................... 12 ../data/rfc/rfc1686.txt- 3.16 Action items ............................................. 13 ../data/rfc/rfc1686.txt- 4. Security Considerations .................................... 13 -- ../data/rfc/rfc1686.txt- resource reservation or flows. The datagram paradigm could still ../data/rfc/rfc1686.txt- be the basic service provided by IPng for many applications, but ../data/rfc/rfc1686.txt- careful thought should be given to the need to support real-time ../data/rfc/rfc1686.txt- traffic with (soft and/or hard) quality of service requirements. ../data/rfc/rfc1686.txt- ../data/rfc/rfc1686.txt: 3.12 Accounting ../data/rfc/rfc1686.txt- ../data/rfc/rfc1686.txt: The ability to do accounting should be an important consideration ../data/rfc/rfc1686.txt- in the selection of IPng. The future broadband networks will be ../data/rfc/rfc1686.txt- commercially motivated, and measurement of resource usage by the ../data/rfc/rfc1686.txt- various users will be required. The actual billing may or may not ../data/rfc/rfc1686.txt: be based on session-by-session usage, and accounting will have ../data/rfc/rfc1686.txt- many other useful purposes besides billing. The efficient ../data/rfc/rfc1686.txt- operation of networks depends on maintaining availability and ../data/rfc/rfc1686.txt- performance goals, including both on-line actions and long term ../data/rfc/rfc1686.txt: planning and design. Accounting information will be important on ../data/rfc/rfc1686.txt: both scores. On the other hand, the choice of providing accounting ../data/rfc/rfc1686.txt- capabilities at the IPng level should be examined with a general ../data/rfc/rfc1686.txt- criterion to introduce as little overhead as possible. Since ../data/rfc/rfc1686.txt- fields for "to", "from" and time stamp will be available for any ../data/rfc/rfc1686.txt- IPng choice, careful examination of what other parameters in IPng ../data/rfc/rfc1686.txt: could be useful to both accounting and other network functions so ../data/rfc/rfc1686.txt- as to keep IPng as lean as possible. ../data/rfc/rfc1686.txt- ../data/rfc/rfc1686.txt- ../data/rfc/rfc1686.txt- ../data/rfc/rfc1686.txt- -- ../data/rfc/rfc451.txt-whatever is most appropriate to a particular Host. This view has the ../data/rfc/rfc451.txt-additional virtue of keeping the Host "Answering Service"-equivalent ../data/rfc/rfc451.txt-processes out of the act when new protocols come along -- where by ../data/rfc/rfc451.txt-Answering Service, I mean that process which manages logins in general ../data/rfc/rfc451.txt-for a given Host. This process is, of course, a particularly sensitive ../data/rfc/rfc451.txt:one on those systems which worry about accounting and security. ../data/rfc/rfc451.txt- ../data/rfc/rfc451.txt-That's all probably a bit vague. Perhaps some idea of how I think the ../data/rfc/rfc451.txt-UULP would work will cast some light on what I think it is. What's ../data/rfc/rfc451.txt-needed is a way of letting the Server know that it's being given a ../data/rfc/rfc451.txt-generic command (I decline to call it a Network Virtual command, but I'm -- ../data/rfc/rfc77.txt- papers on such a protocol. A meeting may be held between the authors ../data/rfc/rfc77.txt- of such papers if sufficient interest develops. The papers should be ../data/rfc/rfc77.txt- distributed as NWG/RFC's before 1 January 71. ../data/rfc/rfc77.txt- ../data/rfc/rfc77.txt-6) Some sites must account for use of their computer resources, thus ../data/rfc/rfc77.txt: there must be some network accounting scheme. Sites can be ../data/rfc/rfc77.txt- categorized as Research Centers vs. Service Centers. The Service ../data/rfc/rfc77.txt: centers tend to have big machines, lots of users, and accounting ../data/rfc/rfc77.txt- problems; while the Research Centers tend to have specialized ../data/rfc/rfc77.txt: hardware, a small number of users, and no accounting at all. ../data/rfc/rfc77.txt- ../data/rfc/rfc77.txt- ../data/rfc/rfc77.txt- ../data/rfc/rfc77.txt- ../data/rfc/rfc77.txt-J. Postel [Page 1] -- ../data/rfc/rfc1528.txt- ../data/rfc/rfc1528.txt- o determining which content-types and character sets are ../data/rfc/rfc1528.txt- supported by a remote printer server; ../data/rfc/rfc1528.txt- ../data/rfc/rfc1528.txt- o introduction of authentication, integrity, privacy, ../data/rfc/rfc1528.txt: authorization, and accounting services; ../data/rfc/rfc1528.txt- ../data/rfc/rfc1528.txt- o preferential selection of a remote printer server; and, ../data/rfc/rfc1528.txt- ../data/rfc/rfc1528.txt- o aggregation of multiple print recipients in a single ../data/rfc/rfc1528.txt- message. -- ../data/rfc/rfc3060.txt- queue. ../data/rfc/rfc3060.txt- ../data/rfc/rfc3060.txt- o Security Policies deal with verifying that the client is actually ../data/rfc/rfc3060.txt- who the client purports to be, permitting or denying access to ../data/rfc/rfc3060.txt- resources, selecting and applying appropriate authentication ../data/rfc/rfc3060.txt: mechanisms, and performing accounting and auditing of resources. ../data/rfc/rfc3060.txt- ../data/rfc/rfc3060.txt- o Service Policies characterize network and other services (not use ../data/rfc/rfc3060.txt- them). For example, all wide-area backbone interfaces shall use a ../data/rfc/rfc3060.txt- specific type of queuing. ../data/rfc/rfc3060.txt- -- ../data/rfc/rfc871.txt- based on equity was employed. The classic example had to do with ../data/rfc/rfc871.txt- "electronic mail", where a desire to avoid charging for incoming ../data/rfc/rfc871.txt- mail led some FTP designers to think that the optionally ../data/rfc/rfc871.txt- mandatory "login" commands of the protocol shouldn't be mandatory ../data/rfc/rfc871.txt- after all. But the commands were needed by some operating ../data/rfc/rfc871.txt: systems to actuate not only accounting mechanisms but ../data/rfc/rfc871.txt- authentication mechanisms as well, and the process which ../data/rfc/rfc871.txt- "fielded" FTP connections was too privileged (and too busy) to ../data/rfc/rfc871.txt- contain the FTP PI as well. So (to make a complex story ../data/rfc/rfc871.txt- cryptic), a common name and password were advertised for a "free" ../data/rfc/rfc871.txt- account for incoming mail, and the login commands remained -- ../data/rfc/rfc4430.txt- to create and delete SAs; the security considerations which pertain ../data/rfc/rfc4430.txt- to IKE phase 1 may be safely ignored. However, being able to ignore ../data/rfc/rfc4430.txt- IKE's authentication phase necessarily means that KINK inherits all ../data/rfc/rfc4430.txt- of the security considerations of Kerberos authentication as outlined ../data/rfc/rfc4430.txt- in [KERBEROS]. For one, a KDC, like an Authentication, ../data/rfc/rfc4430.txt: Authorization, and Accounting (AAA) server, is a point of attack and ../data/rfc/rfc4430.txt- all that implies. Much has been written about various shortcomings ../data/rfc/rfc4430.txt- and mitigations of Kerberos, and they should be evaluated for any ../data/rfc/rfc4430.txt- deployment. ../data/rfc/rfc4430.txt- ../data/rfc/rfc4430.txt- KINK's use of Kerberos presents a couple of considerations. First, -- ../data/rfc/rfc2989.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-Abstract ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- This document represents a summary of Authentication, Authorization, ../data/rfc/rfc2989.txt: Accounting (AAA) protocol requirements for network access. In ../data/rfc/rfc2989.txt- creating this document, inputs were taken from documents produced by ../data/rfc/rfc2989.txt- the Network Access Server Requirements Next Generation (NASREQ), ../data/rfc/rfc2989.txt- Roaming Operations (ROAMOPS), and MOBILEIP working groups, as well as ../data/rfc/rfc2989.txt- from TIA 45.6. ../data/rfc/rfc2989.txt- -- ../data/rfc/rfc2989.txt-RFC 2989 Network Access AAA Evaluation Criteria November 2000 ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- This document summarizes the requirements collected from those ../data/rfc/rfc2989.txt- sources, separating requirements for authentication, authorization ../data/rfc/rfc2989.txt: and accounting. Details on the requirements are available in the ../data/rfc/rfc2989.txt- original documents. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-1. Introduction ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- This document represents a summary of AAA protocol requirements for ../data/rfc/rfc2989.txt- network access. In creating this documents, inputs were taken from ../data/rfc/rfc2989.txt- documents produced by the NASREQ [3], ROAMOPS [2], and MOBILEIP [5] ../data/rfc/rfc2989.txt- working groups, as well as from TIA 45.6 [4]. This document ../data/rfc/rfc2989.txt- summarizes the requirements collected from those sources, separating ../data/rfc/rfc2989.txt: requirements for authentication, authorization and accounting. ../data/rfc/rfc2989.txt- Details on the requirements are available in the original documents. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-1.1. Requirements language ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- In this document, the key words "MAY", "MUST, "MUST NOT", "optional", -- ../data/rfc/rfc2989.txt-RFC 2989 Network Access AAA Evaluation Criteria November 2000 ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-1.2. Terminology ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: Accounting ../data/rfc/rfc2989.txt- The act of collecting information on resource usage for the ../data/rfc/rfc2989.txt- purpose of trend analysis, auditing, billing, or cost ../data/rfc/rfc2989.txt- allocation. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- Administrative Domain -- ../data/rfc/rfc2989.txt- Hop-by-hop is the security model that requires that each ../data/rfc/rfc2989.txt- direct set of peers in a proxy network share a security ../data/rfc/rfc2989.txt- association, and the security information does not traverse ../data/rfc/rfc2989.txt- a AAA entity. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: Inter-domain Accounting ../data/rfc/rfc2989.txt: Inter-domain accounting is the collection of information on ../data/rfc/rfc2989.txt- resource usage of an entity within an administrative ../data/rfc/rfc2989.txt- domain, for use within another administrative domain. In ../data/rfc/rfc2989.txt: inter-domain accounting, accounting packets and session ../data/rfc/rfc2989.txt- records will typically cross administrative boundaries. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: Intra-domain Accounting ../data/rfc/rfc2989.txt: Intra-domain accounting is the collection of information on ../data/rfc/rfc2989.txt- resource within an administrative domain, for use within ../data/rfc/rfc2989.txt: that domain. In intra-domain accounting, accounting ../data/rfc/rfc2989.txt- packets and session records typically do not cross ../data/rfc/rfc2989.txt- administrative boundaries. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- Local Domain ../data/rfc/rfc2989.txt- An administrative domain containing the AAA infrastructure -- ../data/rfc/rfc2989.txt- A Proxy Broker is a AAA entity that satisfies the ../data/rfc/rfc2989.txt- definition of a Broker, and acts as a Transparent Proxy by ../data/rfc/rfc2989.txt- acting as the forwarding agent for all AAA messages between ../data/rfc/rfc2989.txt- the local ISP and the home domain's AAA servers. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: Real-time Accounting ../data/rfc/rfc2989.txt: Real-time accounting involves the processing of information ../data/rfc/rfc2989.txt- on resource usage within a defined time window. Time ../data/rfc/rfc2989.txt- constraints are typically imposed in order to limit ../data/rfc/rfc2989.txt- financial risk. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- -- ../data/rfc/rfc2989.txt- might be required include ISP "confederations" and ISP- ../data/rfc/rfc2989.txt- provided corporate network access support. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- Session record ../data/rfc/rfc2989.txt- A session record represents a summary of the resource ../data/rfc/rfc2989.txt: consumption of a user over the entire session. Accounting ../data/rfc/rfc2989.txt- gateways creating the session record may do so by ../data/rfc/rfc2989.txt: processing interim accounting events. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- Transparent Proxy ../data/rfc/rfc2989.txt- A Transparent Proxy is a AAA server that satisfies the ../data/rfc/rfc2989.txt- definition of a Proxy, but does not enforce any local ../data/rfc/rfc2989.txt- policies (meaning that it does not add, delete or modify -- ../data/rfc/rfc2989.txt- login control, port usage limitations, or IP address pooling. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- The design must provide for recovery from data loss due to a ../data/rfc/rfc2989.txt- variety of faults, including NAS and AAA server reboots, and ../data/rfc/rfc2989.txt- NAS/AAA server communication outages, and MUST be independent of ../data/rfc/rfc2989.txt: the accounting stream. The granularity of the recovery of state ../data/rfc/rfc2989.txt- information after an outage may be on the order of a fraction of ../data/rfc/rfc2989.txt- a minute. In order to provide for state recovery, explicit ../data/rfc/rfc2989.txt- session/resource status and update and disconnect messages will ../data/rfc/rfc2989.txt- be required. ../data/rfc/rfc2989.txt- -- ../data/rfc/rfc2989.txt-Aboba, et al. Informational [Page 15] ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-RFC 2989 Network Access AAA Evaluation Criteria November 2000 ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt:2.4. Accounting Requirements ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Accounting | NASREQ | ROAMOPS | MOBILE | ../data/rfc/rfc2989.txt- | Reqts. | | | IP | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Real-time accounting | M | M | M | ../data/rfc/rfc2989.txt- | a | 14 | 7 | 31 | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- | Mandatory Compact | | M | | ../data/rfc/rfc2989.txt- | Encoding | | 7 | | ../data/rfc/rfc2989.txt- | b | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Accounting Record | | M | M | ../data/rfc/rfc2989.txt- | Extensibility | | 7 | 33 | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Batch Accounting | S | | | ../data/rfc/rfc2989.txt- | c | 21 | | | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- | Guaranteed Delivery | M | | M | ../data/rfc/rfc2989.txt- | d | 22 | | 31 | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Accounting Time Stamps | M | | M | ../data/rfc/rfc2989.txt- | e | 23 | | 40 | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt: | Dynamic Accounting | M | | | ../data/rfc/rfc2989.txt- | f | 48 | | | ../data/rfc/rfc2989.txt- | | | | | ../data/rfc/rfc2989.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- -- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [a] This requirement may be loosely defined as reporting ../data/rfc/rfc2989.txt- synchronously with events. Typically the time window is on the ../data/rfc/rfc2989.txt- order of seconds, not milliseconds. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: [b] The AAA protocol's Accounting data format MUST NOT be bloated, ../data/rfc/rfc2989.txt: imposing a large overhead for one or more accounting data ../data/rfc/rfc2989.txt- elements. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [c] This requirement refers to the ability to buffer or store ../data/rfc/rfc2989.txt: multiple accounting records, and send them together at some ../data/rfc/rfc2989.txt- later time. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [d] This is an application layer acknowledgment. This is sent when ../data/rfc/rfc2989.txt- the receiving server is willing to take responsibility for the ../data/rfc/rfc2989.txt- message data. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [e] This requirement refers to the ability to reflect the time of ../data/rfc/rfc2989.txt- occurrence of events such as log-on, logoff, authentication, ../data/rfc/rfc2989.txt: authorization and interim accounting. It also implies the ../data/rfc/rfc2989.txt- ability to provide for unambiguous time-stamps. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [f] This requirement refers to the ability to account for dynamic ../data/rfc/rfc2989.txt- authentication and authorization. To support this, there can be ../data/rfc/rfc2989.txt: multiple accounting records for a single session. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-2.5. Unique Mobile IP requirements ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- In addition to the above requirements, Mobile IP also has the ../data/rfc/rfc2989.txt- following additional requirements: -- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt-RFC 2989 Network Access AAA Evaluation Criteria November 2000 ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [5] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP ../data/rfc/rfc2989.txt: Authentication, Authorization, and Accounting Requirements", RFC ../data/rfc/rfc2989.txt- 2977, October 2000. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [6] Mitton, D., Beadles, M., "Network Access Server Requirements ../data/rfc/rfc2989.txt- Next Generation (NASREQNG) NAS Model", RFC 2881, July 2000. ../data/rfc/rfc2989.txt- -- ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [9] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc2989.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2989.txt- 2000. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt: [10] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [11] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD ../data/rfc/rfc2989.txt- 51, RFC 1661, July 1994. ../data/rfc/rfc2989.txt- ../data/rfc/rfc2989.txt- [12] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti, -- ../data/rfc/rfc6738.txt- that these rules are agreed to by the external protocol on a peer ../data/rfc/rfc6738.txt- side providing the key to the IKEv2 peer, and on the Diameter server ../data/rfc/rfc6738.txt- side providing the key to the IKEv2 server. This document allows for ../data/rfc/rfc6738.txt- the SK to be obtained for a specific IKEv2 session and exchanged ../data/rfc/rfc6738.txt- between IKEv2 server and the Home Authentication, Authorization, and ../data/rfc/rfc6738.txt: Accounting (HAAA) server. The protocol provides IKEv2 attributes to ../data/rfc/rfc6738.txt- allow the HAAA to compute the SK specific to the session if desired ../data/rfc/rfc6738.txt- (see Section 10). This is accomplished through the use of a new ../data/rfc/rfc6738.txt- Diameter application specifically designed for performing IKEv2 ../data/rfc/rfc6738.txt- authorization decisions. This document focuses on the IKEv2 server, ../data/rfc/rfc6738.txt- as a Diameter client, communicating to the Diameter server, and it -- ../data/rfc/rfc6738.txt- ../data/rfc/rfc6738.txt- EAP Extensible Authentication Protocol ../data/rfc/rfc6738.txt- ../data/rfc/rfc6738.txt- ESP Encapsulating Security Payload ../data/rfc/rfc6738.txt- ../data/rfc/rfc6738.txt: HAAA Home Authentication, Authorization, and Accounting ../data/rfc/rfc6738.txt- ../data/rfc/rfc6738.txt- IKEv2 Internet Key Exchange Protocol version 2 ../data/rfc/rfc6738.txt- ../data/rfc/rfc6738.txt- NAI Network Access Identifier ../data/rfc/rfc6738.txt- -- ../data/rfc/rfc7786.txt- Section 4 details how to set the CDO marking based on this congestion ../data/rfc/rfc7786.txt- information. Section 5 discusses the loss of packets carrying ConEx ../data/rfc/rfc7786.txt- information. Section 6 discusses the timeliness of the ConEx ../data/rfc/rfc7786.txt- feedback signal, given that congestion is a temporary state. ../data/rfc/rfc7786.txt- ../data/rfc/rfc7786.txt: This document describes congestion accounting for TCP with and ../data/rfc/rfc7786.txt- without the Selective Acknowledgement (SACK) extension [RFC2018] (in ../data/rfc/rfc7786.txt- Section 3.1). However, ConEx benefits from the more accurate ../data/rfc/rfc7786.txt- information that SACK provides about the number of bytes dropped in ../data/rfc/rfc7786.txt- the network, and it is therefore preferable to use the SACK extension ../data/rfc/rfc7786.txt- when using TCP with ConEx. The detailed mechanism to set the L flag -- ../data/rfc/rfc7786.txt- ../data/rfc/rfc7786.txt- ../data/rfc/rfc7786.txt- feedback extension to ECN (AccECN) is proposed in a separate document ../data/rfc/rfc7786.txt- [ACCURATE], as this is also useful for other mechanisms. ../data/rfc/rfc7786.txt- ../data/rfc/rfc7786.txt: Congestion accounting for both classic ECN feedback and AccECN ../data/rfc/rfc7786.txt- feedback is explained in detail in Section 3.2. Setting the E flag ../data/rfc/rfc7786.txt- in response to ECN-based congestion feedback is again detailed in ../data/rfc/rfc7786.txt- Section 4.1. ../data/rfc/rfc7786.txt- ../data/rfc/rfc7786.txt-1.1. Requirements Language -- ../data/rfc/rfc2924.txt-Category: Informational A. Blount ../data/rfc/rfc2924.txt- MetraTech Corp. ../data/rfc/rfc2924.txt- September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Accounting Attributes and Record Formats ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Status of this Memo ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc2924.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Abstract ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- This document summarises Internet Engineering Task Force (IETF) and ../data/rfc/rfc2924.txt- International Telecommunication Union (ITU-T) documents related to ../data/rfc/rfc2924.txt: Accounting. A classification scheme for the Accounting Attributes in ../data/rfc/rfc2924.txt- the summarised documents is presented. Exchange formats for ../data/rfc/rfc2924.txt: Accounting data records are discussed, as are advantages and ../data/rfc/rfc2924.txt- disadvantages of integrated versus separate record formats and ../data/rfc/rfc2924.txt- transport protocols. This document discusses service definition ../data/rfc/rfc2924.txt- independence, extensibility, and versioning. Compound service ../data/rfc/rfc2924.txt- definition capabilities are described. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 1] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 4.7. QoS: RSVP and DIFFSERV . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc2924.txt- 4.7.1. QoS: RSVP and DIFFSERV Attributes . . . . . . . . . . . . 13 ../data/rfc/rfc2924.txt- 5. ITU-T Documents . . . . . . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc2924.txt- 5.1. Q.825: Call Detail Recording . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc2924.txt- 5.2. Q.825 Attributes . . . . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc2924.txt- 6. Other Documents . . . . . . . . . . . . . . . . . . . . . . . 18 ../data/rfc/rfc2924.txt- 6.1. TIPHON: ETSI TS 101 321 . . . . . . . . . . . . . . . . . . 18 ../data/rfc/rfc2924.txt- 6.2. MSIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 ../data/rfc/rfc2924.txt: 7. Accounting File and Record Formats . . . . . . . . . . . . . . 19 ../data/rfc/rfc2924.txt- 7.1. ASN.1 Records . . . . . . . . . . . . . . . . . . . . . . . 19 ../data/rfc/rfc2924.txt- 7.1.1. RTFM and AToMMIB . . . . . . . . . . . . . . . . . . . . . 19 ../data/rfc/rfc2924.txt- 7.1.2. Q.825 . . . . . . . . . . . . . . . . . . . . . . . . . . 20 ../data/rfc/rfc2924.txt- 7.2. Binary Records . . . . . . . . . . . . . . . . . . . . . . . 20 ../data/rfc/rfc2924.txt- 7.2.1. RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . 20 -- ../data/rfc/rfc2924.txt- 14. Full Copyright Statement . . . . . . . . . . . . . . . . . . 36 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-1. Introduction ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- This document summarises IETF and ITU-T documents related to ../data/rfc/rfc2924.txt: Accounting. For those documents which describe Accounting Attributes ../data/rfc/rfc2924.txt- (i.e. quantities which can be measured and reported), an Attribute ../data/rfc/rfc2924.txt- Summary is given. Although several of the documents describe ../data/rfc/rfc2924.txt- Attributes which are similar, no attempt is made to identify those ../data/rfc/rfc2924.txt- which are the same in several documents. An extensible ../data/rfc/rfc2924.txt: classification scheme for AAA Accounting Attributes is proposed; it ../data/rfc/rfc2924.txt- is a superset of the attributes in all the documents summarised. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 2] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Many existing accounting record formats and protocols [RAD-ACT] ../data/rfc/rfc2924.txt- [TIPHON] are of limited use due to their single-service descriptive ../data/rfc/rfc2924.txt- facilities and lack of extensibility. While some record formats and ../data/rfc/rfc2924.txt- protocols support extensible attributes [RAD-ACT], none provide ../data/rfc/rfc2924.txt- identification, type checking, or versioning support for defined ../data/rfc/rfc2924.txt- groupings of attributes (service definitions). This document makes a -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-2. Terminology and Notation ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The following terms are used throughout the document. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Accounting Server ../data/rfc/rfc2924.txt- A network element that accepts Usage Events from Service Elements. ../data/rfc/rfc2924.txt- It acts as an interface to back-end rating, billing, and ../data/rfc/rfc2924.txt- operations support systems. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Attribute-Value Pair (AVP) -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 3] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Usage Attribute ../data/rfc/rfc2924.txt- A component of a Usage Event that describes some metric of service ../data/rfc/rfc2924.txt- usage. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-3. Architecture Model ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Service Elements provide Services to Service Consumers. Before, ../data/rfc/rfc2924.txt- while, and/or after services are provided, the Service Element ../data/rfc/rfc2924.txt: reports Usage Events to an Accounting Server. Alternately, the ../data/rfc/rfc2924.txt: Accounting Server may query the Service Element for Usage Events. ../data/rfc/rfc2924.txt- Usage events are sent singly or in bulk. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- +------------+ +-----------+ +------------+ ../data/rfc/rfc2924.txt: | Service |<----->| Service | Usage Events | Accounting | ../data/rfc/rfc2924.txt- | Consumer | +-->| Element |------------->| Server | ../data/rfc/rfc2924.txt- +------------+ | +-----------+ +------------+ ../data/rfc/rfc2924.txt- | ../data/rfc/rfc2924.txt- +------------+ | ../data/rfc/rfc2924.txt- | Service |<--+ ../data/rfc/rfc2924.txt- | Consumer | ../data/rfc/rfc2924.txt- +------------+ ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Accounting Servers may forward Usage Events to other systems, ../data/rfc/rfc2924.txt- possibly in other administrative domains. These transfers are not ../data/rfc/rfc2924.txt- addressed by this document. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4. IETF Documents ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- In March 1999 there were at least 19 Internet Drafts and 8 RFCs ../data/rfc/rfc2924.txt: concerned with Accounting. These are summarised (by working group) ../data/rfc/rfc2924.txt- in the following sections. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.1. RADIUS ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The RADIUS protocol [RAD-PROT] carries authentication, authorization -- ../data/rfc/rfc2924.txt- protocol are expressed in terms of RADIUS attributes such as User- ../data/rfc/rfc2924.txt- Name, Service-Type, and so on. These attributes provide the ../data/rfc/rfc2924.txt- information needed by a RADIUS server to authenticate users and to ../data/rfc/rfc2924.txt- establish authorized network service for them. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The protocol was extended to carry accounting information between a ../data/rfc/rfc2924.txt: NAS and a shared accounting server. This was achieved by defining a ../data/rfc/rfc2924.txt: set of RADIUS accounting attributes [RAD-ACT]. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 4] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- RADIUS packets have a short header containing the RADIUS packet type ../data/rfc/rfc2924.txt- and authenticator (sixteen octets) and length, followed by a sequence ../data/rfc/rfc2924.txt- of (Type, Length, Value) triples, one for each attribute. -- ../data/rfc/rfc2924.txt- 4 NAS-IP-Address 60 CHAP-Challenge ../data/rfc/rfc2924.txt- 5 NAS-Port 61 NAS-Port-Type ../data/rfc/rfc2924.txt- 6 Service-Type 62 Port-Limit ../data/rfc/rfc2924.txt- 7 Framed-Protocol 63 Login-LAT-Port ../data/rfc/rfc2924.txt- 8 Framed-IP-Address ../data/rfc/rfc2924.txt: 9 Framed-IP-Netmask RADIUS Accounting Attributes ../data/rfc/rfc2924.txt- 10 Framed-Routing [RAD-ACT] ../data/rfc/rfc2924.txt- 11 Filter-Id ../data/rfc/rfc2924.txt- 12 Framed-MTU 40 Acct-Status-Type ../data/rfc/rfc2924.txt- 13 Framed-Compression 41 Acct-Delay-Time ../data/rfc/rfc2924.txt- 14 Login-IP-Host 42 Acct-Input-Octets -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 5] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 29 Termination-Action 53 Acct-Output-Gigawords ../data/rfc/rfc2924.txt- 30 Called-Station-Id 54 Unused ../data/rfc/rfc2924.txt- 31 Calling-Station-Id 55 Event-Timestamp -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 6] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- DIAMETER defines a base protocol that specifies the header formats, ../data/rfc/rfc2924.txt- security extensions and requirements as well as a small number of ../data/rfc/rfc2924.txt- mandatory commands and AVPs. A new service can extend DIAMETER by -- ../data/rfc/rfc2924.txt- One key differentiator with DIAMETER is its inherent support for ../data/rfc/rfc2924.txt- Inter-Server communication. Although this can be achieved in a ../data/rfc/rfc2924.txt- variety of ways, the most useful feature is the ability to "proxy" ../data/rfc/rfc2924.txt- messages across a set of DIAMETER servers (known as a proxy chain). ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The DIAMETER Accounting Extension document [DIAM-ACT] extends ../data/rfc/rfc2924.txt: DIAMETER by defining a protocol for securely transferring accounting ../data/rfc/rfc2924.txt- records over the DIAMETER base protocol. This includes the case ../data/rfc/rfc2924.txt: where accounting records may be passed through one or more ../data/rfc/rfc2924.txt- intermediate proxies, in accordance with the 'referral broker' model. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The DIAMETER accounting protocol [DIAM-ACT] defines DIAMETER records ../data/rfc/rfc2924.txt- for transferring an ADIF record (see below). It introduces five new ../data/rfc/rfc2924.txt: attributes (480..485) which specify the way in which accounting ../data/rfc/rfc2924.txt- information is to be delivered between DIAMETER servers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.2.1. DIAMETER Attributes ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- DIAMETER AVPs are identified by a 16-bit number defined in [DIAM- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 7] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: 480 Accounting-Record-Type ../data/rfc/rfc2924.txt- 481 ADIF-Record ../data/rfc/rfc2924.txt: 482 Accounting-Interim-Interval ../data/rfc/rfc2924.txt: 483 Accounting-Delivery-Max-Batch ../data/rfc/rfc2924.txt: 484 Accounting-Delivery-Max-Delay ../data/rfc/rfc2924.txt: 485 Accounting-Record-Number ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 600 SIP-Sequence ../data/rfc/rfc2924.txt- 601 SIP-Call-ID ../data/rfc/rfc2924.txt- 602 SIP-To ../data/rfc/rfc2924.txt- 603 SIP-From -- ../data/rfc/rfc2924.txt- [ROAM-IMPL] reviews the design and functionality of existing roaming ../data/rfc/rfc2924.txt- implementations. "Roaming capability" may be loosely defined as the ../data/rfc/rfc2924.txt- ability to use any one of multiple Internet service providers (ISPs), ../data/rfc/rfc2924.txt- while maintaining a formal customer-vendor relationship with only ../data/rfc/rfc2924.txt- one. One requirement for successful roaming is the provision of ../data/rfc/rfc2924.txt: effective accounting. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: [ROAM-ADIF] proposes a standard accounting record format, the ../data/rfc/rfc2924.txt: Accounting Data Interchange Format (ADIF), which is designed to ../data/rfc/rfc2924.txt: compactly represent accounting data in a protocol-independent manner. ../data/rfc/rfc2924.txt: As a result, ADIF may be used to represent accounting data from any ../data/rfc/rfc2924.txt- protocol using attribute value pairs (AVPs) or variable bindings. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: ADIF does not define accounting attributes of its own. Instead, it ../data/rfc/rfc2924.txt: gives examples of accounting records using the RADIUS accounting ../data/rfc/rfc2924.txt- attributes. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.4. RTFM ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The RTFM Architecture [RTFM-ARC] provides a general method of -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 8] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- required attribute within a BER-encoded sequence. This means there ../data/rfc/rfc2924.txt- is only one object identifier for the whole sequence, greatly ../data/rfc/rfc2924.txt- reducing the number of bytes required to retrieve the data. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 9] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 36 Source Class Integer "Computed" attributes ../data/rfc/rfc2924.txt- 37 Destination Class Integer ../data/rfc/rfc2924.txt- 38 Flow Class Integer -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.5. ISDN MIB ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The ISDN MIB [ISDN-MIB] defines a minimal set of managed objects for ../data/rfc/rfc2924.txt- SNMP-based management of ISDN terminal interfaces. It does not ../data/rfc/rfc2924.txt: explicitly define anything related to accounting, however it does ../data/rfc/rfc2924.txt- define isdnBearerChargedUnits as ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The number of charged units for the current or last connection. ../data/rfc/rfc2924.txt- For incoming calls or if charging information is not supplied by ../data/rfc/rfc2924.txt- the switch, the value of this object is zero. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 10] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- isdnBearerCallConnectTime TimeStamp, ../data/rfc/rfc2924.txt- isdnBearerChargedUnits Gauge32 ../data/rfc/rfc2924.txt- } ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.6. AToMMIB ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The "ATM Accounting Information MIB" document [ATM-ACT] describes a ../data/rfc/rfc2924.txt: large set of accounting objects for ATM connections. An ../data/rfc/rfc2924.txt- administrator may select objects from this set using a selector of ../data/rfc/rfc2924.txt- the form (subtree, list) where "subtree" specifies an object ../data/rfc/rfc2924.txt- identifier from the AToMMIB. For each subtree there is a table ../data/rfc/rfc2924.txt- holding values for each ATM connection. The required connections are ../data/rfc/rfc2924.txt- indicated by setting bits in "list", which is an octet string. For ../data/rfc/rfc2924.txt- example, the set containing the number of received cells for the ../data/rfc/rfc2924.txt- first eight ATM connections would be selected by ../data/rfc/rfc2924.txt- (atmAcctngReceivedCells, 0xFF). ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The Connection-Oriented Accounting MIB document [ATM-COLL] defines a ../data/rfc/rfc2924.txt- MIB providing managed objects used for controlling the collection and ../data/rfc/rfc2924.txt: storage of accounting information for connection-oriented networks ../data/rfc/rfc2924.txt: such as ATM. The accounting data is collected into files for later ../data/rfc/rfc2924.txt: retrieval via a file transfer protocol. Records within an accounting ../data/rfc/rfc2924.txt- file are stored as BER strings [ASN1, BER]. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.6.1. AToMMIB Attributes ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Accounting data objects within the AToMMBIB are identified by the ../data/rfc/rfc2924.txt- last integer in their object identifiers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: The ATM accounting data objects are: ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 1 atmAcctngConnectionType ../data/rfc/rfc2924.txt- 2 atmAcctngCastType ../data/rfc/rfc2924.txt- 3 atmAcctngIfName ../data/rfc/rfc2924.txt- 4 atmAcctngIfAlias -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 11] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 18 atmAcctngReceivedClp0Cells ../data/rfc/rfc2924.txt- 19 atmAcctngTransmitTrafficDescriptorType ../data/rfc/rfc2924.txt- 20 atmAcctngTransmitTrafficDescriptorParam1 -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 12] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-4.7.1. RSVP and DIFFSERV Attributes ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- A set of parameters for specifying a requested Quality of Service are ../data/rfc/rfc2924.txt: given in [IIS-SPEC]. These have been turned into accounting ../data/rfc/rfc2924.txt- attributes within RTFM [RTFM-NEWA] and within the RSVP MIB [RSVP- ../data/rfc/rfc2924.txt- MIB]. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The RTFM QoS attributes are: ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The Session tables contain information such as the numbers of senders ../data/rfc/rfc2924.txt- and receivers for each session, while the Reservation Requests tables ../data/rfc/rfc2924.txt- contain details of requests handled by the RSVP router. There are ../data/rfc/rfc2924.txt- too many objects to list here, but many of them could be used for ../data/rfc/rfc2924.txt: accounting. In particular, RSVP Requests contain the specification ../data/rfc/rfc2924.txt- of the service parameters requested by a user; these, together with ../data/rfc/rfc2924.txt: the actual usage data for the connection make up an accounting record ../data/rfc/rfc2924.txt- for that usage. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-5. ITU-T Documents ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-5.1. Q.825: Call Detail Recording -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 13] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Each call produces one or more records describing events that ../data/rfc/rfc2924.txt- occurred during the life of a call. Data may be produced in real ../data/rfc/rfc2924.txt- time (single CDRs), near real-time (blocks of CDRs), or as batch -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 14] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 9 calledPartyNumber ../data/rfc/rfc2924.txt- Telephone number of the called subscriber (may be a ../data/rfc/rfc2924.txt- "diverted-to" or "translated" number. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 15] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 20 dataValidity ../data/rfc/rfc2924.txt- Indicates that the NE is having problems, contents of the ../data/rfc/rfc2924.txt- generated Call Detail record is not reliable. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 16] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 37 networkProviderId ../data/rfc/rfc2924.txt- Indicates the Network Provider for whom the CDR is generated. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 17] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 52 receivedDigits ../data/rfc/rfc2924.txt- The digits dialed by the subscriber. (Normally only included ../data/rfc/rfc2924.txt- for customer care purposes). -- ../data/rfc/rfc2924.txt-6. Other Documents ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-6.1. TIPHON: ETSI TS 101 321 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- TIPHON [TIPHON] is an XML-based protocol, carried by HTTP, which ../data/rfc/rfc2924.txt: handles accounting and authorization requests and responses. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The following are elements selected from TIPHON's DTD that are used ../data/rfc/rfc2924.txt: for accounting. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- <!ELEMENT Currency (#PCDATA)> <!ELEMENT Amount (#PCDATA)> ../data/rfc/rfc2924.txt- Identifies a numeric value. Expressed using the period (.) as a ../data/rfc/rfc2924.txt- decimal separator with no punctuation as the thousands separator. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 18] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- <!ELEMENT DestinationInfo type ( e164 | h323 | url | email | ../data/rfc/rfc2924.txt- transport | international | ../data/rfc/rfc2924.txt- national | network | subscriber | -- ../data/rfc/rfc2924.txt- Collects information describing the usage of a service. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-6.2. MSIX ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- MSIX [MSIX-SPEC] is an XML-based protocol transported by HTTP that is ../data/rfc/rfc2924.txt: used to make accounting service definitions and transmit service ../data/rfc/rfc2924.txt- usage information. As its service definitions are parameterized and ../data/rfc/rfc2924.txt- dynamic, it makes no definition of services or attributes itself, but ../data/rfc/rfc2924.txt- allows implementors to make their own. It specifies only the base ../data/rfc/rfc2924.txt- data types that attributes may take: STRING, UNISTRING, INT32, FLOAT, ../data/rfc/rfc2924.txt- DOUBLE, BOOLEAN, TIMESTAMP. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:7. Accounting File and Record Formats ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-7.1. ASN.1 Records ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-7.1.1. RTFM and AToMMIB ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- RTFM and AToMMIB use ASN.1 Basic Encoding Rules (BER) to encode lists ../data/rfc/rfc2924.txt: of attributes into accounting records. RTFM uses SNMP to retrieve ../data/rfc/rfc2924.txt- such records as BER strings, thus avoiding having to have an object ../data/rfc/rfc2924.txt- identifier for every object. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 19] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: AToMMIB carries this a stage further by defining an accounting file ../data/rfc/rfc2924.txt- format in ASN.1 and making it available for retrieval by a file ../data/rfc/rfc2924.txt- transfer protocol, thereby providing a more efficient alternative to ../data/rfc/rfc2924.txt- simply retrieving the records using SNMP. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-7.1.2. Q.825 -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 20] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Code ../data/rfc/rfc2924.txt- The AVP Code identifies the attribute uniquely. If the Vendor- ../data/rfc/rfc2924.txt- Specific bit is set, the AVP Code is allocated from the -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-7.3. Text Records ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-7.3.1. ROAMOPS ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: ADIF (Accounting Data Interchange Format [ROAM-ADIF]) presents a ../data/rfc/rfc2924.txt: general, text-based format for accounting data files, described in a ../data/rfc/rfc2924.txt- straightforward BNF grammar. Its file header contains a field ../data/rfc/rfc2924.txt: indicating the default protocol from which accounting attributes are ../data/rfc/rfc2924.txt- drawn. If an attribute from another protocol is to be used, it is ../data/rfc/rfc2924.txt- preceded by its protocol name, for example rtfm//27 would be RTFM's ../data/rfc/rfc2924.txt- "forward bytes" attribute. Comments in an ADIF file begin with a ../data/rfc/rfc2924.txt- cross-hatch. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Example: An ADIF file encoding RADIUS accounting data ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- version: 1 ../data/rfc/rfc2924.txt- device: server3 ../data/rfc/rfc2924.txt: description: Accounting Server 3 ../data/rfc/rfc2924.txt- date: 02 Mar 1999 12:19:01 -0500 ../data/rfc/rfc2924.txt- defaultProtocol: radius ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- rdate: 02 Mar 1999 12:20:17 -0500 ../data/rfc/rfc2924.txt- #NAS-IP-Address -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 21] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 61: 2 ../data/rfc/rfc2924.txt- #User-Name ../data/rfc/rfc2924.txt- 1: fred@bigco.com -- ../data/rfc/rfc2924.txt-8. AAA Requirements ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-8.1. A Well-Defined Set of Attributes ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- AAA needs a well-defined set of attributes whose values are to be ../data/rfc/rfc2924.txt: carried in records to or from accounting servers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Most of the existing sets of documents described above include a set ../data/rfc/rfc2924.txt- of attributes, identified by small integers. It is likely that these ../data/rfc/rfc2924.txt- sets overlap, i.e. that some of them have attributes which represent ../data/rfc/rfc2924.txt- the same quantity using different names in different sets. This ../data/rfc/rfc2924.txt- suggests it might be possible to produce a single combined set of ../data/rfc/rfc2924.txt: "universal" accounting attributes, but such a "universal" set does ../data/rfc/rfc2924.txt- not seem worthwhile. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The ADIF approach of specifying a default protocol (from which ../data/rfc/rfc2924.txt- attributes are assumed to come) and identifying any exceptions seems ../data/rfc/rfc2924.txt- much more practical. We therefore propose that AAA should use the -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 22] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ADIF convention (or something like it) to identify attributes, ../data/rfc/rfc2924.txt- together with all the sets of attributes covered by the [ASG-NBR] ../data/rfc/rfc2924.txt- document. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-8.2. A Simple Interchange Format ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: AAA needs a simple interchange file format, to be used for accounting ../data/rfc/rfc2924.txt- data. Several schemes for packaging and transporting such data have ../data/rfc/rfc2924.txt- been described above. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The SNMP-based ones fit well within the context of an SNMP-based ../data/rfc/rfc2924.txt- network management system. RTFM and AToMMIB provide ways to reduce ../data/rfc/rfc2924.txt- the SNMP overhead for collecting data, and AToMMIB defines a complete ../data/rfc/rfc2924.txt: file format. Both provide good ways to collect accounting data. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- As an interchange format, however, ASN.1-based schemes suffer from ../data/rfc/rfc2924.txt- being rather complex binary structures. This means that one requires ../data/rfc/rfc2924.txt- suitable tools to work with them, as compared to plain-text files ../data/rfc/rfc2924.txt- where one can use existing text-based utilities. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9. Issues ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- It is generally agreed that there is a need for a standard record ../data/rfc/rfc2924.txt- format and transport protocol for communication between Service ../data/rfc/rfc2924.txt: Elements and Accounting Servers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- There is less agreement on the following issues: ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- o Separate or integral record format and transport protocol ../data/rfc/rfc2924.txt- o Standard set of base data types -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 23] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- o Service definition namespace management ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- The following sections address these issues. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- All known Internet-centric billing protocols to date have an integral ../data/rfc/rfc2924.txt- record format. That is, the collection of Properties that describe a ../data/rfc/rfc2924.txt- Usage Event are specified as an integral part of the protocol, ../data/rfc/rfc2924.txt- typically as a part of a "submit" message that is used to transmit a ../data/rfc/rfc2924.txt: Usage Event from a Service Entity to an Accounting Server. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- It may be advantageous to define a record format that is independent ../data/rfc/rfc2924.txt- of the transport protocol. Such a record format should support both ../data/rfc/rfc2924.txt- representation of individual records and records in bulk, as Usage ../data/rfc/rfc2924.txt- Events are often aggregated and transmitted in bulk. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 24] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- tagged, but the order of the AVPs is undefined. The message body is ../data/rfc/rfc2924.txt- not tagged (except with an additional preceding blank line), and is ../data/rfc/rfc2924.txt- found through its position in the message, which must be after all -- ../data/rfc/rfc2924.txt- change. Tagged data allows old readers to detect unexpected tags and ../data/rfc/rfc2924.txt- to detect if required data are missing. If the overhead of carrying ../data/rfc/rfc2924.txt- explicit tags can be borne, it is advantageous to use explicitly ../data/rfc/rfc2924.txt- tagged data elements where possible. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: An AVP approach has proven useful in accounting. RADIUS [RADIUS] ../data/rfc/rfc2924.txt- uses numeric data type identifiers. ETSI's TIPHON [TIPHON] uses XML ../data/rfc/rfc2924.txt- markup. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: For an AAA accounting record format, the authors suggest that each ../data/rfc/rfc2924.txt- Property be named by a textual or numeric identifier and carry a ../data/rfc/rfc2924.txt- value and a data type indicator, which governs interpretation of the ../data/rfc/rfc2924.txt- value. It may also be useful for each Property to carry a units of ../data/rfc/rfc2924.txt- measure identifier. The TIPHON specification takes this approach. ../data/rfc/rfc2924.txt- TS 101 321 also carries an Increment field, which denominates the -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 25] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- An appropriate set would likely include booleans, 32 and 64 bit ../data/rfc/rfc2924.txt- signed integers, 32 and 64 bit floats, arbitrary octets, UTF-8 and ../data/rfc/rfc2924.txt- UTF-16 strings, and ISO 8601:1988 [ISO-DATE] timestamps. Fixed- ../data/rfc/rfc2924.txt- precision numbers capable of representing currency amounts (with ../data/rfc/rfc2924.txt- precision specified on both sides of the decimal point) have proven ../data/rfc/rfc2924.txt: useful in accounting record formats, as they are immune to the ../data/rfc/rfc2924.txt- precision problems that are encountered when one attempts to ../data/rfc/rfc2924.txt- represent fixed-point amounts with floating point numbers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- It may be worthwhile to consider the datatypes that are being ../data/rfc/rfc2924.txt- specified by the W3C's "XML Schema Part 2: Datatypes" [XML-DATA] -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Each Usage Event requires its own unique identifier. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- It is expedient to allow Service Elements to create their own unique ../data/rfc/rfc2924.txt- identifiers. In this manner, Usage Events can be created and ../data/rfc/rfc2924.txt: archived without the involvement of an Accounting Server or other ../data/rfc/rfc2924.txt- central authority. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- A number of methods for creating unique identifiers are well known. ../data/rfc/rfc2924.txt- One popular identifier is an amalgamation of a monotonically ../data/rfc/rfc2924.txt- increasing sequence number, a large random value, a network element -- ../data/rfc/rfc2924.txt- RFC 822 [MAIL], RFC 1036 [NEWS], and RFC 2445 [ICAL-CORE] give ../data/rfc/rfc2924.txt- guidance on the creation of good unique identifiers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9.4. Service Definitions ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: A critical differentiator in accounting record formats and protocols ../data/rfc/rfc2924.txt- is their capability to account for arbitrary service usage. To date, ../data/rfc/rfc2924.txt: no accounting record format or protocol that can handle arbitrary ../data/rfc/rfc2924.txt- service definitions has achieved broad acceptance on the Internet. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- This section analyzes the issues in service definition and makes a ../data/rfc/rfc2924.txt- case for a record format and protocol with the capability to carry ../data/rfc/rfc2924.txt- Usage Events for rich, independently-defined services. -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 26] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9.4.1. Service Independence ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- It is informative to survey a number of popular Internet protocols -- ../data/rfc/rfc2924.txt- specified" protocols that have little provision for extension and ../data/rfc/rfc2924.txt- "framework" protocols that are incomplete, but provide a basis for ../data/rfc/rfc2924.txt- future extension when coupled with application documents. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Examples of fully-specified protocols are NTP [NTP], NNTP [NNTP], ../data/rfc/rfc2924.txt: RADIUS Accounting [RAD-ACT], and HTML [HTML]. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Aside from leaving some field values "reserved for future use", all ../data/rfc/rfc2924.txt- of Network Time Protocol's fields are fixed-width and completely ../data/rfc/rfc2924.txt- defined. This is appropriate for a simple protocol that solves a ../data/rfc/rfc2924.txt- simple problem. -- ../data/rfc/rfc2924.txt- additions. The content of news is 7-bit data, with the high-order ../data/rfc/rfc2924.txt- bit cleared to 0. Nothing further about the content is defined. ../data/rfc/rfc2924.txt- There is no in-protocol facility for automating decoding of content ../data/rfc/rfc2924.txt- type. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: We pay particular attention to RADIUS Accounting [RAD-ACT]. Perhaps ../data/rfc/rfc2924.txt- the second most frequently heard complaint (after security ../data/rfc/rfc2924.txt: shortcomings) about RADIUS Accounting is its preassigned and fixed ../data/rfc/rfc2924.txt- set of "Types". These are coded as a range of octets from 40 to 51 ../data/rfc/rfc2924.txt- and are as follows: ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- 40 Acct-Status-Type ../data/rfc/rfc2924.txt- 41 Acct-Delay-Time -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 27] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- protocol limits the type identifier to a single octet, limiting the ../data/rfc/rfc2924.txt- total number of types to 256. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- values specific for certain applications and devices. Hence, new ../data/rfc/rfc2924.txt- functionality can continuously be added to SNMP, since a standard ../data/rfc/rfc2924.txt- method has been defined to incorporate that functionality into ../data/rfc/rfc2924.txt- SNMP devices and network managers. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Most accounting protocols are fully-specified, with either a ../data/rfc/rfc2924.txt: completely defined service or set of services (RADIUS Accounting) or ../data/rfc/rfc2924.txt- with one or more services defined and provision for "extension" ../data/rfc/rfc2924.txt- services to be added to the protocol later (TIPHON). While the ../data/rfc/rfc2924.txt- latter is preferable, it may be preferable to take a more SNMP-like ../data/rfc/rfc2924.txt: approach, where the accounting record format and protocol provide ../data/rfc/rfc2924.txt- only a framework for service definition, and leave the task of ../data/rfc/rfc2924.txt- service definition (and standardization) to separate efforts. In ../data/rfc/rfc2924.txt: this manner, the accounting protocol itself would not have to be ../data/rfc/rfc2924.txt- modified to handle new services. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 28] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9.4.2. Versioned Service Definitions ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Versioning is a naming and compatibility issue. Version identifiers -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- An example could be the service definition of a phone call. Version ../data/rfc/rfc2924.txt- 1 might define Properties for the start time, duration, and called ../data/rfc/rfc2924.txt- and calling party numbers. Later, version 2 is defined, which ../data/rfc/rfc2924.txt- augments the former service definition with a byte count. An ../data/rfc/rfc2924.txt: Accounting Server, aware only of Version 1, may accept Version 2 ../data/rfc/rfc2924.txt- records, discarding the additional information (forward ../data/rfc/rfc2924.txt: compatibility). Alternately, if an Accounting Server is made aware ../data/rfc/rfc2924.txt- of version 2, it could optionally still accept version 1 records from ../data/rfc/rfc2924.txt: Service Elements, provided the Accounting Sever does not require the ../data/rfc/rfc2924.txt- additional information to properly account for service usage ../data/rfc/rfc2924.txt- (backward compatibility). ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9.4.3. Relationships Among Usage Events ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: Accounting record formats and protocols to date do not sufficiently ../data/rfc/rfc2924.txt- addressed "compound" service description. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- A compound service is a service that is described as a composition of ../data/rfc/rfc2924.txt- other services. A conference call, for example, may be described as ../data/rfc/rfc2924.txt- a number of point-to-point calls to a conference bridge. It is ../data/rfc/rfc2924.txt- important to account for the individual calls, rather than just ../data/rfc/rfc2924.txt- summing up an aggregate, both for auditing purposes and to enable ../data/rfc/rfc2924.txt- differential rating. If these calls are to be reported to the ../data/rfc/rfc2924.txt: Accounting Server individually, the Usage Events require a shared ../data/rfc/rfc2924.txt: identifier that can be used by the Accounting Server and other back- ../data/rfc/rfc2924.txt- end systems to group the records together. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- In order for a Service Element to report compound events over time as ../data/rfc/rfc2924.txt: a succession of individual Usage Events, the accounting protocol ../data/rfc/rfc2924.txt- requires a facility to communicate that the compound event has ../data/rfc/rfc2924.txt- started and stopped. The "start" message can be implicit--the ../data/rfc/rfc2924.txt- transmission of the first Usage Event will suffice. An additional ../data/rfc/rfc2924.txt: semaphore is required to tell the Accounting Server that the compound ../data/rfc/rfc2924.txt- service is complete and may be further processed. This is necessary ../data/rfc/rfc2924.txt: to prevent the Accounting Server from prematurely processing compound ../data/rfc/rfc2924.txt- events that overlap the end of a billing period. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 29] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: RADIUS Accounting has some provision for this sort of accounting with ../data/rfc/rfc2924.txt- its "Acct-Multi-Session-Id" field. Unfortunately, RADIUS ../data/rfc/rfc2924.txt: Accounting's other shortcomings preclude it from being used in ../data/rfc/rfc2924.txt- general purpose service usage description. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-9.4.4. Service Namespace Management ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- "Framework" protocols, as previously mentioned, do not define -- ../data/rfc/rfc2924.txt- As previously mentioned, the XML specification provides no facility ../data/rfc/rfc2924.txt- for DTD discovery or namespace management. XML specifies only a ../data/rfc/rfc2924.txt- document format, and as such does not need to specify support for ../data/rfc/rfc2924.txt- more "protocol" oriented problems. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: For an accounting record format and protocol, an approach closer to ../data/rfc/rfc2924.txt- SNMP's is useful. SNMP uses an ISO-managed dotted-decimal namespace. ../data/rfc/rfc2924.txt- An IANA-managed registry of service types is a possibility. Another ../data/rfc/rfc2924.txt- possibility, used by MSIX [MSIX-SPEC], is for Service Element ../data/rfc/rfc2924.txt- creators to identify their services by concatenation of a new service ../data/rfc/rfc2924.txt- name with existing unique identifier, such as a domain name. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- A standard record format for service definitions would make it ../data/rfc/rfc2924.txt: possible for Service Element creators to directly supply accounting ../data/rfc/rfc2924.txt- system managers with the required definitions, via the network or ../data/rfc/rfc2924.txt- other means. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-10. Encodings ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 30] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- implementation is paramount and the application can tolerate any ../data/rfc/rfc2924.txt- additional processing required to generate, parse, and transport the ../data/rfc/rfc2924.txt- records. -- ../data/rfc/rfc2924.txt- A alternative "compressed" encoding that makes minimal use of storage ../data/rfc/rfc2924.txt- and processing may be useful in many contexts. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- There are disadvantages to supporting multiple encodings. ../data/rfc/rfc2924.txt- Optionally-supported multiple encodings mandate the requirement for ../data/rfc/rfc2924.txt: capabilities exchange between Service Element and Accounting Server. ../data/rfc/rfc2924.txt- Also, implementations can tend to "drift apart", with one encoding ../data/rfc/rfc2924.txt- better-supported than another. Unless all encodings are mandatory, ../data/rfc/rfc2924.txt- implementors may find they are unable to interoperate because they ../data/rfc/rfc2924.txt- picked the wrong encoding. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- This document summarises many existing IETF and ITU documents; please ../data/rfc/rfc2924.txt- refer to the original documents for security considerations for their ../data/rfc/rfc2924.txt- particular protocols. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: It must be possible for the accounting protocol to be carried by a ../data/rfc/rfc2924.txt- secure transport. A canonical record format is useful so that ../data/rfc/rfc2924.txt- regeneration of secure record hashes is possible. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: When dealing with accounting data files, one must take care that ../data/rfc/rfc2924.txt- their integrity and privacy are preserved. This document, however, ../data/rfc/rfc2924.txt- is only concerned with the format of such files. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-12. References ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: [ACC-BKG] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2924.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [ASG-NBR] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, ../data/rfc/rfc2924.txt- RFC 1700, October 1994. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- Notation One (ASN.1), International Organization for ../data/rfc/rfc2924.txt- Standardization, International Standard 8824, December ../data/rfc/rfc2924.txt- 1987. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [ATM-ACT] McCloghrie, K., Heinanen, J., Greene, W. and A. Prasad, ../data/rfc/rfc2924.txt: "Accounting Information for ATM Networks", RFC 2512, ../data/rfc/rfc2924.txt- February 1999. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 31] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [ATM-COLL] McCloghrie, K., Heinanen, J., Greene, W. and A. Prasad, " ../data/rfc/rfc2924.txt- Managed Objects for Controlling the Collection and ../data/rfc/rfc2924.txt: Storage of Accounting Information for Connection-Oriented ../data/rfc/rfc2924.txt- Networks", RFC 2513, February 1999. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [BER] Information processing systems - Open Systems ../data/rfc/rfc2924.txt- Interconnection - Specification of Basic Encoding Rules ../data/rfc/rfc2924.txt- for Abstract Notation One (ASN.1), International ../data/rfc/rfc2924.txt- Organization for Standardization, International Standard ../data/rfc/rfc2924.txt- 8825, December 1987. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [DIAM-ACT] Arkko, J., Calhoun, P.R., Patel, P. and Zorn, G., ../data/rfc/rfc2924.txt: "DIAMETER Accounting Extension", Work in Progress. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [DIAM-AUTH] Calhoun, P.R. and Bulley, W., "DIAMETER User ../data/rfc/rfc2924.txt- Authentication Extensions", Work in Progress. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [DIAM-FRAM] Calhoun, P.R., Zorn, G. and Pan, P., "DIAMETER Framework -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 32] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [ISO-DATE] "Data elements and interchange formats -- Information ../data/rfc/rfc2924.txt- interchange -- Representation of dates and times", ISO ../data/rfc/rfc2924.txt- 8601:1988. -- ../data/rfc/rfc2924.txt- September 1985. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [Q-825] "Specification of TMN applications at the Q3 interface: ../data/rfc/rfc2924.txt- Call detail recording", ITU-T Recommendation Q.825, 1998. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: [RAD-ACT] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [RAD-EXT] Rigney, C., Willats, W. and Calhoun, P., "RADIUS ../data/rfc/rfc2924.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [RAD-PROT] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc2924.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc2924.txt- RFC 2865, June 2000. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: [RAD-TACC] Zorn, G., Mitton, D. and A. Aboba, "RADIUS Accounting ../data/rfc/rfc2924.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc2924.txt- June 2000. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [RAP-COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R. ../data/rfc/rfc2924.txt- and A. Sastry, "The COPS (Common Open Policy Service) ../data/rfc/rfc2924.txt- Protocol", RFC 2748, January 2000. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt: [ROAM-ADIF] Aboba, B. and D. Lidyard, "The Accounting Data ../data/rfc/rfc2924.txt- Interchange Format (ADIF)", Work in Progress. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [ROAM-IMPL] Aboba, B., Lu, J., Alsop, J., Ding, J. and W. Wang, ../data/rfc/rfc2924.txt- "Review of Roaming Implementations", RFC 2194, September ../data/rfc/rfc2924.txt- 1997. ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 33] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [RS-DS-OP] Bernet, Y., Yavatkar, R., Ford, P., Baker, F., Zhang, L., ../data/rfc/rfc2924.txt- Speer, M., Braden, R., Davie, B., Wroclawski, J. and E. ../data/rfc/rfc2924.txt- Felstaine, "A Framework For Integrated Services Operation -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 34] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- [XML-DATA] "XML Schema Part 2: Datatypes", W3C Working Draft 07 ../data/rfc/rfc2924.txt- April 2000, April 2000. ../data/rfc/rfc2924.txt- -- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-Brownlee & Blount Informational [Page 35] ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt:RFC 2924 Accounting Attributes and Record Formats September 2000 ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt-14. Full Copyright Statement ../data/rfc/rfc2924.txt- ../data/rfc/rfc2924.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. -- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt-2869 Rigney Jun 2000 RADIUS Extensions ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt-This document describes additional attributes for carrying ../data/rfc/rfc2899.txt:authentication, authorization and accounting information between a ../data/rfc/rfc2899.txt:Network Access Server (NAS) and a shared Accounting Server using the ../data/rfc/rfc2899.txt-Remote Authentication Dial In User Service (RADIUS) protocol described ../data/rfc/rfc2899.txt-in RFC 2865 and RFC 2866. This memo provides information for the ../data/rfc/rfc2899.txt-Internet community. ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- -- ../data/rfc/rfc2899.txt-User Service) attributes designed to support the provision of compulsory ../data/rfc/rfc2899.txt-tunneling in dial-up networks. This memo provides information for the ../data/rfc/rfc2899.txt-Internet community. ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt:2867 Zorn Jun 2000 RADIUS Accounting ../data/rfc/rfc2899.txt- Modifications for Tunnel ../data/rfc/rfc2899.txt- Protocol Support ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt-This document defines new RADIUS (Remote Authentication Dial In User ../data/rfc/rfc2899.txt:Service) accounting Attributes and new values for the existing Acct- ../data/rfc/rfc2899.txt-Status-Type Attribute designed to support the provision of compulsory ../data/rfc/rfc2899.txt-tunneling in dial-up networks. This memo provides information for the ../data/rfc/rfc2899.txt-Internet community. ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt:2866 Rigney Jun 2000 RADIUS Accounting ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt:This document describes a protocol for carrying accounting information ../data/rfc/rfc2899.txt:between a Network Access Server and a shared Accounting Server. This ../data/rfc/rfc2899.txt-memo provides information for the Internet community. ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- ../data/rfc/rfc2899.txt- -- ../data/rfc/rfc2116.txt- such as data integrity, process persistence, and server classes. NSDS ../data/rfc/rfc2116.txt- supports access over X.25 WAN, LAN and TCP/IP networks. ../data/rfc/rfc2116.txt- ../data/rfc/rfc2116.txt- NSDS is a port of OSF's DCE GDS Reference Implementation, with Tandem ../data/rfc/rfc2116.txt- enhancements including 1993 X.500 Simplified Access Control. Tandem ../data/rfc/rfc2116.txt: server class management provides fault events, tracing, accounting and ../data/rfc/rfc2116.txt- configuration services for NSDS. TM/MP (Transaction Management) is ../data/rfc/rfc2116.txt- used to protect all file operations that affect the integrity of the ../data/rfc/rfc2116.txt- directory entries in the DIB. ../data/rfc/rfc2116.txt- ../data/rfc/rfc2116.txt- Major Features Include: -- ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt-the monitoring center that a particular event has happened by ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt-sending a trap message, while the monitoring center is reliably ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt:collecting the host's throughput and accounting data. ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt- Traps report spontaneous events, as they occur, to the ../data/rfc/rfc869.txt- ../data/rfc/rfc869.txt-monitoring center. In order to insure their prompt delivery, the -- ../data/rfc/rfc869.txt- 2 | Status ../data/rfc/rfc869.txt- 3 | Thruput ../data/rfc/rfc869.txt- 4 | HTM - Host Traffic Matrix ../data/rfc/rfc869.txt- 5 | Parameters ../data/rfc/rfc869.txt- 6 | Routing ../data/rfc/rfc869.txt: 7 | Call Accounting ../data/rfc/rfc869.txt- | ../data/rfc/rfc869.txt- 100 | Poll ../data/rfc/rfc869.txt- 101 | Error ../data/rfc/rfc869.txt- 102 | Control Acknowledgment ../data/rfc/rfc869.txt- -- ../data/rfc/rfc4285.txt- - Networks in which the authentication of the MN for network access ../data/rfc/rfc4285.txt- is done by an authentication server in the home network via the home ../data/rfc/rfc4285.txt- agent. The security association is established by the network ../data/rfc/rfc4285.txt- operator (provisioning methods) between the MN and a backend ../data/rfc/rfc4285.txt- authentication server (e.g., Authentication, Authorization, and ../data/rfc/rfc4285.txt: Accounting (AAA) home server). MIPv6 as per RFCs 3775 and 3776 ../data/rfc/rfc4285.txt- relies on the IPsec SA between the MN and an HA. In cases where the ../data/rfc/rfc4285.txt- assignment of the HA is dynamic and the only static or long-term SA ../data/rfc/rfc4285.txt- is between the MN and a backend authentication server, the mobility ../data/rfc/rfc4285.txt- message authentication option is desirable. ../data/rfc/rfc4285.txt- -- ../data/rfc/rfc4285.txt- ../data/rfc/rfc4285.txt-2. Overview ../data/rfc/rfc4285.txt- ../data/rfc/rfc4285.txt- This document presents a lightweight mechanism to authenticate the ../data/rfc/rfc4285.txt- Mobile Node at the Home Agent or at the Authentication, ../data/rfc/rfc4285.txt: Authorization, and Accounting (AAA) server in Home network (AAAH) ../data/rfc/rfc4285.txt- based on a shared-key-based mobility security association between the ../data/rfc/rfc4285.txt- Mobile Node and the respective authenticating entity. This shared- ../data/rfc/rfc4285.txt- key-based mobility security association (shared-key-based mobility ../data/rfc/rfc4285.txt- SA) may be statically provisioned or dynamically created. The term ../data/rfc/rfc4285.txt- -- ../data/rfc/rfc7530.txt- With delegations, a client is able to avoid writing data to the ../data/rfc/rfc7530.txt- server when the CLOSE of a file is serviced. The file close system ../data/rfc/rfc7530.txt- call is the usual point at which the client is notified of a lack of ../data/rfc/rfc7530.txt- stable storage for the modified file data generated by the ../data/rfc/rfc7530.txt- application. At the close, file data is written to the server, and ../data/rfc/rfc7530.txt: through normal accounting the server is able to determine if the ../data/rfc/rfc7530.txt- available file system space for the data has been exceeded (i.e., the ../data/rfc/rfc7530.txt: server returns NFS4ERR_NOSPC or NFS4ERR_DQUOT). This accounting ../data/rfc/rfc7530.txt- includes quotas. The introduction of delegations requires that an ../data/rfc/rfc7530.txt- alternative method be in place for the same type of communication to ../data/rfc/rfc7530.txt- occur between client and server. ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- In the delegation response, the server provides either the limit of -- ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- o Different named attribute directories, or between a named ../data/rfc/rfc7530.txt- attribute directory and an ordinary directory. ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- o Regions of a file system that the file system implementation ../data/rfc/rfc7530.txt: treats as separate (for example, for space accounting purposes), ../data/rfc/rfc7530.txt- and where cross-connection between the regions is not allowed. ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- ../data/rfc/rfc7530.txt- -- ../data/rfc/rfc2882.txt- 6.1 Managed Resources . . . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc2882.txt- 6.2 Resource Management Messages . . . . . . . . . . . . . . . 10 ../data/rfc/rfc2882.txt- 6.3 Concurrent Logins . . . . . . . . . . . . . . . . . . . . . 10 ../data/rfc/rfc2882.txt- 6.4 Authorization Changes . . . . . . . . . . . . . . . . . . . 11 ../data/rfc/rfc2882.txt- 7. Policy Services . . . . . . . . . . . . . . . . . . . . . . 11 ../data/rfc/rfc2882.txt: 8. Accounting Extensions . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc2882.txt- 8.1 Auditing/Activity . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc2882.txt- 9. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc2882.txt- 10. Security Considerations . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc2882.txt- 11. Implementation Documents . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc2882.txt- 11.1. Clients . . . . . . . . . . . . . . . . . . . . . . . . . 13 -- ../data/rfc/rfc2882.txt- VALUE Acct-Status-Type VSE-User-Reject 0x06300001 ../data/rfc/rfc2882.txt- VALUE Acct-Status-Type VSE-Call-Reject 0x06300002 ../data/rfc/rfc2882.txt- VALUE Acct-Status-Type VSE-IPCP-Start 0x06300003 ../data/rfc/rfc2882.txt- VALUE Acct-Status-Type VSE-IPXCP-Start 0x06300004 ../data/rfc/rfc2882.txt- VALUE Acct-Status-Type VSE-ATCP-Start 0x06300005 ../data/rfc/rfc2882.txt: VALUE Acct-Status-Type VSE-Accounting-Restart 0x06300006 ../data/rfc/rfc2882.txt: VALUE Acct-Status-Type VSE-Accounting-Shutoff 0x06300007 ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt-Mitton Informational [Page 4] ../data/rfc/rfc2882.txt- -- ../data/rfc/rfc2882.txt- These fall into a number of categories which are described in the ../data/rfc/rfc2882.txt- next section below. Some of these messages are actually used between ../data/rfc/rfc2882.txt- the RADIUS server and some other resource server, using a RADIUS-like ../data/rfc/rfc2882.txt- protocol to implement new functions. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: 6 Accounting Status ../data/rfc/rfc2882.txt: (now Interim Accounting [5]) ../data/rfc/rfc2882.txt- 7 Password Request ../data/rfc/rfc2882.txt- 8 Password Ack ../data/rfc/rfc2882.txt- 9 Password Reject ../data/rfc/rfc2882.txt: 10 Accounting Message ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- 21 Resource Free Request ../data/rfc/rfc2882.txt- 22 Resource Free Response ../data/rfc/rfc2882.txt- 23 Resource Query Request ../data/rfc/rfc2882.txt- 24 Resource Query Response -- ../data/rfc/rfc2882.txt- There are several different types of implementation techniques: ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- - Explicit request/free resource requests ../data/rfc/rfc2882.txt- - Monitor usage with deamons watching the state ../data/rfc/rfc2882.txt- - Explicit messages to a state deamon ../data/rfc/rfc2882.txt: - Monitor Accounting messages for state changes ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt-6.2. Resource Management Messages ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- Messages used for resource management ../data/rfc/rfc2882.txt- -- ../data/rfc/rfc2882.txt- on a RADIUS environment. Some vendors have build NAS monitoring ../data/rfc/rfc2882.txt- tools either into their RADIUS servers, either directly or as ../data/rfc/rfc2882.txt- auxiliary deamons, that can check the session status of the ../data/rfc/rfc2882.txt- controlled NASes by SNMP or proprietary methods. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: Other vendors monitor the RADIUS accesses and accounting messages and ../data/rfc/rfc2882.txt- derive state information from the requests. This monitoring is not ../data/rfc/rfc2882.txt- as reliable as directly auditing the NAS, but it is also less vendor ../data/rfc/rfc2882.txt- specific, and can work with any RADIUS NAS, provided it sends both ../data/rfc/rfc2882.txt- streams to the same server. ../data/rfc/rfc2882.txt- -- ../data/rfc/rfc2882.txt-RFC 2882 Extended RADIUS Practices July 2000 ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- - SNMP commands ../data/rfc/rfc2882.txt- - Telnet monitor deamon ../data/rfc/rfc2882.txt: - Accounting monitor ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt-6.4. Authorization Changes: ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- To implement an active changes to a running session, such as filter ../data/rfc/rfc2882.txt- changes or timeout and disconnect, at least one vendor has added a -- ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- The other implementation performs a similar operations. It uses VSAs ../data/rfc/rfc2882.txt- in the Access-Request to distinguish pre-authentication message ../data/rfc/rfc2882.txt- types. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt:8. Accounting Extensions ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: Traditional Accounting only records session starts and stops which is ../data/rfc/rfc2882.txt- pretty boring. Additional session information reporting can be added ../data/rfc/rfc2882.txt- easily which gives a better picture of operation in use as they ../data/rfc/rfc2882.txt- happen. Some event types are listed below. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt-8.1. Auditing/Activity -- ../data/rfc/rfc2882.txt- find problem areas or users. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- Information about call failures, successes, and quality are also ../data/rfc/rfc2882.txt- deemed important many service providers. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: Extending RADIUS accounting is easy, it's surprising that more ../data/rfc/rfc2882.txt- implementations have not been made in this area. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt-9. Conclusions ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- In real life RADIUS Servers are becoming rather complex software -- ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- [1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote ../data/rfc/rfc2882.txt- Authentication Dial In User Service (RADIUS)", RFC 2138, April ../data/rfc/rfc2882.txt- 1997. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: [2] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- [3] Rigney, C., Willens, S., Ruebens, A. and W. Simpson, "Remote ../data/rfc/rfc2882.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2882.txt- 2000. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: [4] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- [5] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions", RFC ../data/rfc/rfc2882.txt- 2869, June 2000. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- [6] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and ../data/rfc/rfc2882.txt- I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC ../data/rfc/rfc2882.txt- 2868, June 2000. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt: [7] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc2882.txt- Modifications for Tunnel Protocol Support", RFC 2867, June 2000. ../data/rfc/rfc2882.txt- ../data/rfc/rfc2882.txt- [8] Aboba, B. and G. Zorn, "Implementation of L2TP Compulsory ../data/rfc/rfc2882.txt- Tunneling via RADIUS", RFC 2809, April 2000. ../data/rfc/rfc2882.txt- -- ../data/rfc/rfc1190.txt- When the DISCONNECT reaches a target, the target sends an ACK ../data/rfc/rfc1190.txt- and notifies the application that it is no longer part of the ../data/rfc/rfc1190.txt- stream and the reason. The application should then inform ST ../data/rfc/rfc1190.txt- to terminate the stream, and ST should delete the stream from ../data/rfc/rfc1190.txt- its database after performing any necessary management and ../data/rfc/rfc1190.txt: accounting functions. ../data/rfc/rfc1190.txt- ../data/rfc/rfc1190.txt- ../data/rfc/rfc1190.txt- 3.3.3. A Target Deleting Itself ../data/rfc/rfc1190.txt- ../data/rfc/rfc1190.txt- The application at the target may inform ST that it wants to be -- ../data/rfc/rfc1190.txt- Unique ID value not be reused for a period of time on the ../data/rfc/rfc1190.txt- order of 5 minutes. ../data/rfc/rfc1190.txt- ../data/rfc/rfc1190.txt- The Timestamp is included both to make the Name unique over ../data/rfc/rfc1190.txt- long intervals (e.g., forever) for purposes of network ../data/rfc/rfc1190.txt: management and accounting/billing, and to protect against ../data/rfc/rfc1190.txt- failure of an ST agent that causes knowledge of active ../data/rfc/rfc1190.txt- Unique IDs to be lost. The assumption is that all ST agents ../data/rfc/rfc1190.txt- have access to some "clock". If this is not the case, the ../data/rfc/rfc1190.txt- agent should have access to some form of non-volatile memory ../data/rfc/rfc1190.txt- in which it can store some number that at least gets -- ../data/rfc/rfc2867.txt- D. Mitton ../data/rfc/rfc2867.txt- Nortel Networks ../data/rfc/rfc2867.txt- June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt: RADIUS Accounting Modifications for Tunnel Protocol Support ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Status of this Memo ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc2867.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Abstract ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt: This document defines new RADIUS accounting Attributes and new values ../data/rfc/rfc2867.txt- for the existing Acct-Status-Type Attribute [1] designed to support ../data/rfc/rfc2867.txt- the provision of compulsory tunneling in dial-up networks. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Specification of Requirements ../data/rfc/rfc2867.txt- -- ../data/rfc/rfc2867.txt- involve compulsory tunneling: the tunnel is created without any ../data/rfc/rfc2867.txt- action from the user and without allowing the user any choice in the ../data/rfc/rfc2867.txt- matter, as a service of the Internet service provider (ISP). ../data/rfc/rfc2867.txt- Typically, ISPs providing a service want to collect data regarding ../data/rfc/rfc2867.txt- that service for billing, network planning, etc. One way to collect ../data/rfc/rfc2867.txt: usage data in dial-up networks is by means of RADIUS Accounting [1]. ../data/rfc/rfc2867.txt: The use of RADIUS Accounting allows dial-up usage data to be ../data/rfc/rfc2867.txt- collected at a central location, rather than stored on each NAS. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 1] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- In order to collect usage data regarding tunneling, new RADIUS ../data/rfc/rfc2867.txt- attributes are needed; this document defines these attributes. In ../data/rfc/rfc2867.txt- addition, several new values for the Acct-Status-Type attribute are -- ../data/rfc/rfc2867.txt- Compulsory tunneling may be part of a package of services provided by ../data/rfc/rfc2867.txt- one entity to another. For example, a corporation might contract ../data/rfc/rfc2867.txt- with an ISP to provide remote intranet access to its employees via ../data/rfc/rfc2867.txt- compulsory tunneling. In this case, the integration of RADIUS and ../data/rfc/rfc2867.txt- tunnel protocols allows the ISP and the corporation to synchronize ../data/rfc/rfc2867.txt: their accounting activities so that each side receives a record of ../data/rfc/rfc2867.txt- the user's resource consumption. This provides the corporation with ../data/rfc/rfc2867.txt- the means to audit ISP bills. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- In auditing, the User-Name, Acct-Tunnel-Connection, Tunnel-Client- ../data/rfc/rfc2867.txt- Endpoint and Tunnel-Server-Endpoint attributes are typically used to ../data/rfc/rfc2867.txt: uniquely identify the call, allowing the Accounting-Request sent by ../data/rfc/rfc2867.txt: the NAS to be reconciled with the corresponding Accounting-Request ../data/rfc/rfc2867.txt- sent by the tunnel server. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt: When implementing RADIUS accounting for L2TP/PPTP tunneling, the ../data/rfc/rfc2867.txt- Call-Serial-Number SHOULD be used in the Acct-Tunnel-Connection ../data/rfc/rfc2867.txt- attribute. In L2TP, the Call-Serial-Number is a 32-bit field and in ../data/rfc/rfc2867.txt- PPTP it is a 16-bit field. In PPTP the combination of IP Address and ../data/rfc/rfc2867.txt- Call-Serial-Number SHOULD be unique, but this is not required. In ../data/rfc/rfc2867.txt- addition, no method for determining the Call-Serial-Number is -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 2] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Description ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This value MAY be used to mark the establishment of a tunnel ../data/rfc/rfc2867.txt- with another node. If this value is used, the following ../data/rfc/rfc2867.txt: attributes SHOULD also be included in the Accounting-Request ../data/rfc/rfc2867.txt- packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Description ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This value MAY be used to mark the destruction of a tunnel to ../data/rfc/rfc2867.txt- or from another node. If this value is used, the following ../data/rfc/rfc2867.txt: attributes SHOULD also be included in the Accounting-Request ../data/rfc/rfc2867.txt- packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 3] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-3.3. Tunnel-Reject ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Value -- ../data/rfc/rfc2867.txt- Description ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This value MAY be used to mark the rejection of the ../data/rfc/rfc2867.txt- establishment of a tunnel with another node. If this value is ../data/rfc/rfc2867.txt- used, the following attributes SHOULD also be included in the ../data/rfc/rfc2867.txt: Accounting-Request packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) ../data/rfc/rfc2867.txt- Acct-Terminate-Cause (49) -- ../data/rfc/rfc2867.txt- This value MAY be used to mark the creation of a tunnel link. ../data/rfc/rfc2867.txt- Only some tunnel types (e.g., L2TP) support multiple links per ../data/rfc/rfc2867.txt- tunnel. This Attribute is intended to mark the creation of a ../data/rfc/rfc2867.txt- link within a tunnel that carries multiple links. For example, ../data/rfc/rfc2867.txt- if a mandatory tunnel were to carry M links over its lifetime, ../data/rfc/rfc2867.txt: 2(M+1) RADIUS Accounting messages might be sent: one each ../data/rfc/rfc2867.txt- marking the initiation and destruction of the tunnel itself and ../data/rfc/rfc2867.txt- one each for the initiation and destruction of each link within ../data/rfc/rfc2867.txt- the tunnel. If only a single link can be carried in a given ../data/rfc/rfc2867.txt- tunnel (e.g., IPsec in the tunnel mode), this Attribute need ../data/rfc/rfc2867.txt: not be included in accounting packets, since the presence of ../data/rfc/rfc2867.txt- the Tunnel-Start Attribute will imply the initiation of the ../data/rfc/rfc2867.txt- (only possible) link. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 4] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- If this value is used, the following attributes SHOULD also be ../data/rfc/rfc2867.txt: included in the Accounting-Request packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- NAS-Port (5) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) -- ../data/rfc/rfc2867.txt- This value MAY be used to mark the destruction of a tunnel ../data/rfc/rfc2867.txt- link. Only some tunnel types (e.g., L2TP) support multiple ../data/rfc/rfc2867.txt- links per tunnel. This Attribute is intended to mark the ../data/rfc/rfc2867.txt- destruction of a link within a tunnel that carries multiple ../data/rfc/rfc2867.txt- links. For example, if a mandatory tunnel were to carry M ../data/rfc/rfc2867.txt: links over its lifetime, 2(M+1) RADIUS Accounting messages ../data/rfc/rfc2867.txt- might be sent: one each marking the initiation and destruction ../data/rfc/rfc2867.txt- of the tunnel itself and one each for the initiation and ../data/rfc/rfc2867.txt- destruction of each link within the tunnel. If only a single ../data/rfc/rfc2867.txt- link can be carried in a given tunnel (e.g., IPsec in the ../data/rfc/rfc2867.txt: tunnel mode), this Attribute need not be included in accounting ../data/rfc/rfc2867.txt- packets, since the presence of the Tunnel-Stop Attribute will ../data/rfc/rfc2867.txt- imply the termination of the (only possible) link. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- If this value is used, the following attributes SHOULD also be ../data/rfc/rfc2867.txt: included in the Accounting-Request packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- NAS-Port (5) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 5] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Acct-Output-Packets (48) ../data/rfc/rfc2867.txt- Acct-Terminate-Cause (49) ../data/rfc/rfc2867.txt- Acct-Multi-Session-Id (51) -- ../data/rfc/rfc2867.txt- This value MAY be used to mark the rejection of the ../data/rfc/rfc2867.txt- establishment of a new link in an existing tunnel. Only some ../data/rfc/rfc2867.txt- tunnel types (e.g., L2TP) support multiple links per tunnel. ../data/rfc/rfc2867.txt- If only a single link can be carried in a given tunnel (e.g., ../data/rfc/rfc2867.txt- IPsec in the tunnel mode), this Attribute need not be included ../data/rfc/rfc2867.txt: in accounting packets, since in this case the Tunnel-Reject ../data/rfc/rfc2867.txt- Attribute has the same meaning. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- If this value is used, the following attributes SHOULD also be ../data/rfc/rfc2867.txt: included in the Accounting-Request packet: ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- User-Name (1) ../data/rfc/rfc2867.txt- NAS-IP-Address (4) ../data/rfc/rfc2867.txt- Acct-Delay-Time (41) ../data/rfc/rfc2867.txt- Acct-Terminate-Cause (49) -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 6] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-4. Attributes ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-4.1. Acct-Tunnel-Connection ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Description ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This Attribute indicates the identifier assigned to the tunnel ../data/rfc/rfc2867.txt: session. It SHOULD be included in Accounting-Request packets ../data/rfc/rfc2867.txt- which contain an Acct-Status-Type attribute having the value ../data/rfc/rfc2867.txt- Start, Stop or any of the values described above. This ../data/rfc/rfc2867.txt- attribute, along with the Tunnel-Client-Endpoint and Tunnel- ../data/rfc/rfc2867.txt- Server-Endpoint attributes [3], may be used to provide a means ../data/rfc/rfc2867.txt- to uniquely identify a tunnel session for auditing purposes. -- ../data/rfc/rfc2867.txt-4.2. Acct-Tunnel-Packets-Lost ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Description ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- This Attribute indicates the number of packets lost on a given ../data/rfc/rfc2867.txt: link. It SHOULD be included in Accounting-Request packets ../data/rfc/rfc2867.txt- which contain an Acct-Status-Type attribute having the value ../data/rfc/rfc2867.txt- Tunnel-Link-Stop. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 7] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- A summary of the Acct-Tunnel-Packets-Lost Attribute format is ../data/rfc/rfc2867.txt- shown below. The fields are transmitted from left to right. ../data/rfc/rfc2867.txt- -- ../data/rfc/rfc2867.txt- of packets lost on the link. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-5. Table of Attributes ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc2867.txt: in Accounting-Request packets. No tunnel attributes should be found ../data/rfc/rfc2867.txt: in Accounting-Response packets. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Request # Attribute ../data/rfc/rfc2867.txt- 0-1 64 Tunnel-Type ../data/rfc/rfc2867.txt- 0-1 65 Tunnel-Medium-Type ../data/rfc/rfc2867.txt- 0-1 66 Tunnel-Client-Endpoint -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 8] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- The following table defines the meaning of the above table entries. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- 0 This attribute MUST NOT be present in packet. -- ../data/rfc/rfc2867.txt- 0-1 Zero or one instance of this attribute MAY be present in ../data/rfc/rfc2867.txt- packet. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-6. Security Considerations ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt: By "sniffing" RADIUS Accounting packets, it might be possible for an ../data/rfc/rfc2867.txt- eavesdropper to perform a passive analysis of tunnel connections. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-7. References ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt: [1] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement ../data/rfc/rfc2867.txt- Levels", BCP 14, RFC 2119, March 1997. ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- [3] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 9] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-9. Authors' Addresses ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Questions about this memo can be directed to: -- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-Zorn, et al. Informational [Page 10] ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt:RFC 2867 RADIUS Tunnel Accounting Support June 2000 ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt-10. Full Copyright Statement ../data/rfc/rfc2867.txt- ../data/rfc/rfc2867.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. -- ../data/rfc/rfc4283.txt- The capability to identify a mobility entity via identifiers other ../data/rfc/rfc4283.txt- than the IPv6 address can be leveraged for performing various ../data/rfc/rfc4283.txt- functions, for example, ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- o authentication and authorization using an existing AAA ../data/rfc/rfc4283.txt: (Authentication, Authorization, and Accounting) infrastructure or ../data/rfc/rfc4283.txt- via an HLR/AuC (Home Location Register/Authentication Center) ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- o dynamic allocation of a mobility anchor point ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- o dynamic allocation of a home address -- ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- This option SHOULD be used when Internet Key Exchange (IKE)/IPsec is ../data/rfc/rfc4283.txt- not used for protecting binding updates or binding acknowledgements ../data/rfc/rfc4283.txt- as specified in [RFC3775]. It is typically used with the ../data/rfc/rfc4283.txt- authentication option [RFC4285]. But this option may be used ../data/rfc/rfc4283.txt: independently. For example, the identifier can provide accounting ../data/rfc/rfc4283.txt- and billing services. ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- ../data/rfc/rfc4283.txt- -- ../data/rfc/rfc758.txt- 1 1 Reserved ../data/rfc/rfc758.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc758.txt- 72-151 110-227 Reserved ../data/rfc/rfc758.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc758.txt- 153 231 TIP Status Reporting ../data/rfc/rfc758.txt: 154 232 TIP Accounting ../data/rfc/rfc758.txt- 155-158 233-236 Internet Protocol [44] ../data/rfc/rfc758.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc758.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc758.txt- 196-255 304-377 Experimental Protocols ../data/rfc/rfc758.txt- 224-255 340-377 NVP [1,39] -- ../data/rfc/rfc3334.txt-Category: Experimental G. Carle ../data/rfc/rfc3334.txt- Fraunhofer FOKUS ../data/rfc/rfc3334.txt- October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Policy-Based Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Status of this Memo ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This memo defines an Experimental Protocol for the Internet ../data/rfc/rfc3334.txt- community. It does not specify an Internet standard of any kind. -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Copyright (C) The Internet Society (2002). All Rights Reserved. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Abstract ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: This document describes policy-based accounting which is an approach ../data/rfc/rfc3334.txt: to provide flexibility to accounting architectures. Accounting ../data/rfc/rfc3334.txt: policies describe the configuration of an accounting architecture in ../data/rfc/rfc3334.txt: a standardized way. They are used to instrument the accounting ../data/rfc/rfc3334.txt- architecture and can be exchanged between Authentication, ../data/rfc/rfc3334.txt: Authorization and Accounting (AAA) entities in order to share ../data/rfc/rfc3334.txt- configuration information. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This document describes building blocks and message sequences for ../data/rfc/rfc3334.txt: policy-based accounting in the generic AAA architecture (RFC 2903). ../data/rfc/rfc3334.txt: Examples are given for the usage of accounting policies in different ../data/rfc/rfc3334.txt: scenarios. It is also shown how accounting components can be ../data/rfc/rfc3334.txt- integrated into the AAA authorization framework (RFC 2904). This ../data/rfc/rfc3334.txt- document does not propose a language for the description of ../data/rfc/rfc3334.txt: accounting policies. Rather, it is assumed that a suitable policy ../data/rfc/rfc3334.txt- language can be chosen from existing or upcoming standards. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Table of Contents ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- 1. Introduction...............................................2 ../data/rfc/rfc3334.txt- 1.1 Motivation.................................................2 ../data/rfc/rfc3334.txt- 1.2 Document Scope.............................................3 ../data/rfc/rfc3334.txt- 2. Terminology................................................4 ../data/rfc/rfc3334.txt: 3. Impact of Provider Network Characteristics on Accounting...7 ../data/rfc/rfc3334.txt- 4. Business roles and relations...............................8 ../data/rfc/rfc3334.txt- 5. Reference Model and Building Blocks.......................11 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 1] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: 6. Accounting Policies.......................................14 ../data/rfc/rfc3334.txt: 6.1 Accounting Policy Condition...............................15 ../data/rfc/rfc3334.txt: 6.2 Accounting Policy Action..................................16 ../data/rfc/rfc3334.txt- 6.3 Example for Meter Configuration...........................17 ../data/rfc/rfc3334.txt: 7. Accounting Services.......................................19 ../data/rfc/rfc3334.txt: 7.1 Integrated Accounting.....................................19 ../data/rfc/rfc3334.txt: 7.2 Discrete Accounting.......................................21 ../data/rfc/rfc3334.txt: 7.3 Intra-Domain Accounting...................................22 ../data/rfc/rfc3334.txt: 7.4 Inter-Domain Accounting...................................23 ../data/rfc/rfc3334.txt: 8. Accounting with different Authorization Models............25 ../data/rfc/rfc3334.txt- 8.1 Agent Sequence............................................25 ../data/rfc/rfc3334.txt- 8.2 Pull Sequence.............................................26 ../data/rfc/rfc3334.txt- 8.3 Push Sequence.............................................27 ../data/rfc/rfc3334.txt- 8.4 Roaming...................................................28 ../data/rfc/rfc3334.txt- 9. Examples..................................................29 ../data/rfc/rfc3334.txt- 9.1 Printing Service Example..................................29 ../data/rfc/rfc3334.txt: 9.1.1 Intra-Domain Accounting...................................29 ../data/rfc/rfc3334.txt: 9.1.2 Inter-Domain Accounting...................................30 ../data/rfc/rfc3334.txt: 9.1.3 User Accounting Indication................................31 ../data/rfc/rfc3334.txt- 9.2 Mobile/Roaming Example....................................31 ../data/rfc/rfc3334.txt- 9.3 Diffserv Example..........................................33 ../data/rfc/rfc3334.txt: 9.4 User Accounting Indication Example........................37 ../data/rfc/rfc3334.txt- 10. Security Considerations...................................39 ../data/rfc/rfc3334.txt- 11. References................................................41 ../data/rfc/rfc3334.txt- 12. Acknowledgments...........................................42 ../data/rfc/rfc3334.txt- Author's Addresses..............................................43 ../data/rfc/rfc3334.txt- Full Copyright Statement........................................44 -- ../data/rfc/rfc3334.txt- the ability of the user to give a good prediction of the expected ../data/rfc/rfc3334.txt- traffic characteristics. This can be extenuated by using a charging ../data/rfc/rfc3334.txt- scheme that is based on both the reserved and the used resources. In ../data/rfc/rfc3334.txt- order to support usage-based charging, the collection of information ../data/rfc/rfc3334.txt- about the resource reservation and utilization is required. The ../data/rfc/rfc3334.txt: collection of data about resource usage is called accounting. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 2] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Service providers have various options for service differentiation, ../data/rfc/rfc3334.txt: charging schemes and the provisioning of accounting services. The ../data/rfc/rfc3334.txt- applied charging schemes for the provided services are one ../data/rfc/rfc3334.txt- significant feature used by providers to distinguish themselves from ../data/rfc/rfc3334.txt- competitors. Therefore, providers use different charging schemes and ../data/rfc/rfc3334.txt- may change the schemes in accordance with their business plan. ../data/rfc/rfc3334.txt: Providers can also offer different accounting services (e.g. ../data/rfc/rfc3334.txt- standard, comprehensive, etc.) in order to allow customers/users to ../data/rfc/rfc3334.txt- choose one scheme that meets the customers/users needs. Furthermore, ../data/rfc/rfc3334.txt: it may be advantageous for a provider to outsource accounting ../data/rfc/rfc3334.txt- functionality to a third party. Users introduce various traffic ../data/rfc/rfc3334.txt: profiles and may have individual preferences regarding accounting ../data/rfc/rfc3334.txt: services (like itemized invoices, accounting indications, spending ../data/rfc/rfc3334.txt- limits etc.). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: One further challenge for the configuration of accounting services ../data/rfc/rfc3334.txt: are heterogeneous metering and accounting infrastructures within ../data/rfc/rfc3334.txt: provider domains. Also, the usage of different accounting and ../data/rfc/rfc3334.txt- metering solutions used in different provider networks complicates ../data/rfc/rfc3334.txt- the sharing of configuration parameters (e.g. in roaming scenarios). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The configuration and dynamic adaptation of the accounting process to ../data/rfc/rfc3334.txt- the business model and specific user demands requires a flexible ../data/rfc/rfc3334.txt: configurable accounting infrastructure. The utilization of ../data/rfc/rfc3334.txt- standardized policies for the expression of conditions and related ../data/rfc/rfc3334.txt- configuration actions also allows the configuration of heterogeneous ../data/rfc/rfc3334.txt: infrastructures. For this purpose we propose to use accounting ../data/rfc/rfc3334.txt: policies to configure the accounting infrastructure and use the ../data/rfc/rfc3334.txt: Authentication, Authorization and Accounting (AAA) architecture to ../data/rfc/rfc3334.txt- exchange and to deploy these policies. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-1.2 Document Scope ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: This document describes the structure and usage of accounting ../data/rfc/rfc3334.txt- policies. It shows how the characteristics of the provider network ../data/rfc/rfc3334.txt: influence the requirements for accounting. The relations between the ../data/rfc/rfc3334.txt: different roles that are involved in the accounting process and the ../data/rfc/rfc3334.txt: required building blocks for an accounting architecture are ../data/rfc/rfc3334.txt- introduced. This document describes an architecture and mechanisms ../data/rfc/rfc3334.txt: to configure the accounting service. It proposes to use the AAA ../data/rfc/rfc3334.txt: protocol for the exchange of accounting configuration information ../data/rfc/rfc3334.txt- expressed in policies. It does not propose a specific protocol for ../data/rfc/rfc3334.txt: the accounting configuration itself. The configuration itself can be ../data/rfc/rfc3334.txt- done by existing protocols (e.g. Common Open Policy Service Protocol ../data/rfc/rfc3334.txt- for Support of Policy Provisioning - COPS-PR, Simple Network ../data/rfc/rfc3334.txt- Management Protocol - SNMP, etc.). Furthermore, it is shown how ../data/rfc/rfc3334.txt: different accounting services can be provided in intra- and inter- ../data/rfc/rfc3334.txt: domain scenarios. Examples are given for the usage of accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 3] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: policies in different scenarios. They show how accounting components ../data/rfc/rfc3334.txt- can be integrated into the authorization framework proposed in ../data/rfc/rfc3334.txt- [RFC2904]. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting management architectures and objectives as well as the ../data/rfc/rfc3334.txt: transport of accounting records are discussed in [RFC2975] and are ../data/rfc/rfc3334.txt- not further explained here. This document focuses on the ../data/rfc/rfc3334.txt: configuration of the accounting architecture and measurement devices. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The policy-based accounting architecture represented in this document ../data/rfc/rfc3334.txt: describes policy-based accounting from the perspective of a Generic ../data/rfc/rfc3334.txt- AAA Server [RFC2903]. Such a server combines into a single entity ../data/rfc/rfc3334.txt: the functions of managing accounting policy, together with the ../data/rfc/rfc3334.txt- functions of managing user-specific authentication, authorization and ../data/rfc/rfc3334.txt- service provisioning. Some service providers may choose to implement ../data/rfc/rfc3334.txt- an approach that does not combine these functions into a single ../data/rfc/rfc3334.txt- entity or protocol, in which case that particular aspect of this ../data/rfc/rfc3334.txt- architecture does not apply. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This document does not propose a language for the description of ../data/rfc/rfc3334.txt: accounting policies. It is rather assumed that a suitable policy ../data/rfc/rfc3334.txt- language can be chosen from existing or upcoming standards. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-2. Terminology ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting Indication/Confirmation ../data/rfc/rfc3334.txt: Accounting indication messages are pushed from the ../data/rfc/rfc3334.txt: originating AAA server (the server where the accounting ../data/rfc/rfc3334.txt- information was generated) to the recipient which can be an ../data/rfc/rfc3334.txt: AAA server or a customer/user application. Accounting ../data/rfc/rfc3334.txt: indications contain accounting records which describe the ../data/rfc/rfc3334.txt: resource consumption for a service. Accounting indication ../data/rfc/rfc3334.txt- messages can also contain aggregated information for multiple ../data/rfc/rfc3334.txt: services. There can be interim and end-of-session accounting ../data/rfc/rfc3334.txt- indication messages. Interim indications are delivered in ../data/rfc/rfc3334.txt- specified intervals to the recipient during the service ../data/rfc/rfc3334.txt- session while end-of-session indications are given to the ../data/rfc/rfc3334.txt: recipient at the end of the session only. Accounting ../data/rfc/rfc3334.txt: indications may be acknowledged by accounting confirmations ../data/rfc/rfc3334.txt- to provide application layer reliability. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting Policy Indication/Confirmation ../data/rfc/rfc3334.txt: Accounting policy indication messages contain accounting ../data/rfc/rfc3334.txt- policies and are sent from a customer/user or a AAA server to ../data/rfc/rfc3334.txt: another AAA server. Accounting policy indications may be ../data/rfc/rfc3334.txt: acknowledged by accounting policy confirmations to provide ../data/rfc/rfc3334.txt- application layer reliability. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 4] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting Request/Answer ../data/rfc/rfc3334.txt: Accounting requests are sent by an AAA server to another AAA ../data/rfc/rfc3334.txt: server to request the current accounting information for a ../data/rfc/rfc3334.txt- particular session set (polling). The request is answered ../data/rfc/rfc3334.txt: with an accounting answer which contains the accounting ../data/rfc/rfc3334.txt- records. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting Policy Request/Answer ../data/rfc/rfc3334.txt: Accounting policy requests are sent by an AAA server to ../data/rfc/rfc3334.txt: another AAA server or a customer/user to request accounting ../data/rfc/rfc3334.txt- policies for a service. The request is answered by an ../data/rfc/rfc3334.txt: accounting policy answer that contains the accounting policy. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting Policies ../data/rfc/rfc3334.txt: Accounting policies describe rules for generation, transport ../data/rfc/rfc3334.txt: and storage of accounting data. These rules are used for the ../data/rfc/rfc3334.txt: configuration of the accounting process. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Application Specific Module (ASM) ../data/rfc/rfc3334.txt- An ASM provides the functionalities required for the user ../data/rfc/rfc3334.txt- configuration of a service to an authenticated and authorized ../data/rfc/rfc3334.txt- user. It gets application specific information (ASI) (e.g. -- ../data/rfc/rfc3334.txt- A charging scheme is an instruction for calculating a charge. ../data/rfc/rfc3334.txt- Usually, a charging scheme is represented by a formula that ../data/rfc/rfc3334.txt- consists of charging variables (e.g. volume, time, reserved ../data/rfc/rfc3334.txt- peak rate) and charging coefficients (e.g. price per time ../data/rfc/rfc3334.txt- unit). The charging variables are usually filled by ../data/rfc/rfc3334.txt: information from accounting data. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Classifier ../data/rfc/rfc3334.txt- This document uses the definition of classifier as given in ../data/rfc/rfc3334.txt- [RFC2475]. Since this document assumes that meters already ../data/rfc/rfc3334.txt- include classification functions, the term classifier is only -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 5] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Meter ../data/rfc/rfc3334.txt- This document uses the definition of meter as given in ../data/rfc/rfc3334.txt- [RFC2722]. This meter definition already includes the -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 6] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:3. Impact of Provider Network Characteristics on Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- There are many options for future service providers for the ../data/rfc/rfc3334.txt- realization of service differentiation and provisioning. Therefore, ../data/rfc/rfc3334.txt- provider networks can vary with respect to several characteristics ../data/rfc/rfc3334.txt: that impact accounting and charging: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Size and Purpose ../data/rfc/rfc3334.txt- A small ISP that deals with individual customers may charge ../data/rfc/rfc3334.txt- individual users based on single flows. Backbone operators often ../data/rfc/rfc3334.txt- have small ISPs and large corporations as customers, and usually ../data/rfc/rfc3334.txt- charge based on traffic aggregates instead of individual flows. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - QoS provisioning technique ../data/rfc/rfc3334.txt: Diffserv accounting requirements differ from Intserv accounting ../data/rfc/rfc3334.txt- requirements (e.g. meter granularity). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Service classes ../data/rfc/rfc3334.txt- The definition of service classes within a network and the degree of ../data/rfc/rfc3334.txt- freedom that customers are given (e.g. gold/silver/bronze service vs. ../data/rfc/rfc3334.txt- a free choice of individual traffic profile parameters) is important, ../data/rfc/rfc3334.txt- e.g. for the flow classification within the network, and influences ../data/rfc/rfc3334.txt: the accounting functions required. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Charging scheme ../data/rfc/rfc3334.txt- There exists a wide variety of charging schemes using tariff ../data/rfc/rfc3334.txt- variables based on different technical and/or economic models. The ../data/rfc/rfc3334.txt: chosen charging scheme(s) influence the accounting requirements for ../data/rfc/rfc3334.txt- the provider. While some charging schemes lead to zero or only few ../data/rfc/rfc3334.txt: accounting requirements, other charging schemes may be highly ../data/rfc/rfc3334.txt- demanding. For instance, flat rate charging schemes require no ../data/rfc/rfc3334.txt: accounting infrastructure at all. In contrast to this, volume-based ../data/rfc/rfc3334.txt- charging schemes require the measurement of the transmitted volume ../data/rfc/rfc3334.txt: and, with this, increases the complexity for accounting. Tariffs ../data/rfc/rfc3334.txt- that introduce variable prices may require to provide the users ../data/rfc/rfc3334.txt: regularly with accounting information (e.g. by interim accounting ../data/rfc/rfc3334.txt- indications). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Accounting Services ../data/rfc/rfc3334.txt: Providers may offer different accounting services (e.g. accounting ../data/rfc/rfc3334.txt- indication, itemized invoice, etc.) ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Accounting agreements with other providers ../data/rfc/rfc3334.txt- Providers may have agreements with other providers in order to share ../data/rfc/rfc3334.txt: accounting tasks and distribute accounting data so that, e.g., ../data/rfc/rfc3334.txt- metering need only be done once. If so, it may be useful if ../data/rfc/rfc3334.txt: providers can not only exchange accounting data, but also information ../data/rfc/rfc3334.txt: on the configuration of accounting modules (e.g. meters). It is ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 7] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: important for providers to agree beforehand how accounting data will ../data/rfc/rfc3334.txt: be collected and monitored, and how disputes concerning accounting ../data/rfc/rfc3334.txt- data will be resolved. In order to minimize disputes between ../data/rfc/rfc3334.txt- providers, it is important for them to agree that either both will ../data/rfc/rfc3334.txt: collect accounting data - and will compare it with the other's data ../data/rfc/rfc3334.txt- at regular intervals, e.g. monthly - or both will use a single source ../data/rfc/rfc3334.txt: of accounting data provided by one of them (or by a trusted third ../data/rfc/rfc3334.txt- party). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Exploiting Capabilities of Existing Infrastructure (meters, data ../data/rfc/rfc3334.txt- collection points) ../data/rfc/rfc3334.txt- Providers may already have functions within the network that can ../data/rfc/rfc3334.txt: provide accounting functions (e.g. MIB objects, profile meters, ../data/rfc/rfc3334.txt: proprietary accounting solutions). In order to avoid duplicated ../data/rfc/rfc3334.txt: functionality, it should be possible to use these accounting ../data/rfc/rfc3334.txt- resources. Therefore, the configuration of different types of ../data/rfc/rfc3334.txt: accounting modules (e.g. meters) should be possible. A common ../data/rfc/rfc3334.txt: language to express accounting module configurations would be useful ../data/rfc/rfc3334.txt- for this purpose. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-4. Business roles and relations ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In investigating service provisions in the current and forthcoming -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 8] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Error Correction - FEC). A transport service might also ../data/rfc/rfc3334.txt- include mechanisms on other layers for improving the transport ../data/rfc/rfc3334.txt- (e.g. MPLS). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Management services are responsible for the management of ../data/rfc/rfc3334.txt: resources (e.g. configuration, accounting, security). ../data/rfc/rfc3334.txt: Accounting services describe the provisioning of data about the ../data/rfc/rfc3334.txt: current or previous resource reservation and usage. Accounting ../data/rfc/rfc3334.txt- services are needed by providers to generate a bill or by users ../data/rfc/rfc3334.txt- to monitor their resource usage. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Service Subscriber ../data/rfc/rfc3334.txt- The service subscriber is the entity that has subscribed to a service -- ../data/rfc/rfc3334.txt- network of a network provider is probably not a global network which ../data/rfc/rfc3334.txt- connects all subscribers, providers and brokers. The transport ../data/rfc/rfc3334.txt- network is segmented into a number of sub-networks or domains ../data/rfc/rfc3334.txt- controlled by different network providers with business relations ../data/rfc/rfc3334.txt- existing between them. Each domain is responsible for intra-domain ../data/rfc/rfc3334.txt: management and accounting. For inter-domain management and ../data/rfc/rfc3334.txt: accounting, appropriate communication interfaces between network ../data/rfc/rfc3334.txt- providers must exist. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Service Provider ../data/rfc/rfc3334.txt- A service provider entity provides a service. A service provider can ../data/rfc/rfc3334.txt- offer a service directly to the service subscriber/user. A service -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 9] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- other service providers, subscribers, brokers and network providers. ../data/rfc/rfc3334.txt- A service provider provides information services on top of transport ../data/rfc/rfc3334.txt- services provided by network providers. -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 10] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The following examples show how this business relationship model can ../data/rfc/rfc3334.txt- be applied to different services. ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- get a reference to appropriate network providers. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-5. Reference Model and Building Blocks ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- We have developed a reference model for describing the interactions ../data/rfc/rfc3334.txt: between the different metering, accounting and charging processes and ../data/rfc/rfc3334.txt- their configuration via policies. This reference model is shown in ../data/rfc/rfc3334.txt- Figure 2. At the right side, five layers show the different building ../data/rfc/rfc3334.txt- blocks. The blocks are layered according to the processing of the ../data/rfc/rfc3334.txt: data from the bottom level metering via accounting, up to the final ../data/rfc/rfc3334.txt- billing process. Data aggregation is not only done at the collection ../data/rfc/rfc3334.txt- layer, it can also be done at the other layers. The building blocks ../data/rfc/rfc3334.txt- on the different layers are configured through the policies shown on ../data/rfc/rfc3334.txt- the left side. Higher layer policies can be translated into lower ../data/rfc/rfc3334.txt- layer policies. The configuration parameters are extracted from the -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 11] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- distinguished: Static meters and configurable meters. In the case of ../data/rfc/rfc3334.txt- static meters, all flows are measured with a fixed granularity, not ../data/rfc/rfc3334.txt- distinguishing if a subsequent charging process needs the specific -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Collection ../data/rfc/rfc3334.txt- The data gathered by the meter(s) has to be collected for further ../data/rfc/rfc3334.txt- processing. Collection of meter data can be initiated by the meter ../data/rfc/rfc3334.txt- itself (push model) or by a collector entity (pull model). Collected ../data/rfc/rfc3334.txt: data can be aggregated before being passed to the accounting layer. ../data/rfc/rfc3334.txt- Metering policies define how collection and aggregation is done. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 12] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- POLICY CONFIGURATION BUILDING BLOCKS ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ -- ../data/rfc/rfc3334.txt- | |------------------>| Charging | ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ ../data/rfc/rfc3334.txt- | ^ acct ../data/rfc/rfc3334.txt- V | data ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ ../data/rfc/rfc3334.txt: | Accounting | | | ../data/rfc/rfc3334.txt: | |------------------>| Accounting | ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ ../data/rfc/rfc3334.txt- | ^ aggr. meter ../data/rfc/rfc3334.txt- V | data ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ ../data/rfc/rfc3334.txt- | |------------------>| Collection | -- ../data/rfc/rfc3334.txt- | |------------------>| Metering | ../data/rfc/rfc3334.txt- +---------------+ +-------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Figure 2: Reference Model ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Accounting ../data/rfc/rfc3334.txt: Accounting describes the collection of data about resource ../data/rfc/rfc3334.txt- consumption. This includes the control of data gathering (via ../data/rfc/rfc3334.txt: metering), transport and storage of accounting data. For subsequent ../data/rfc/rfc3334.txt- charging, the metered data must be associated with a user that is the ../data/rfc/rfc3334.txt- initiator of a flow and a customer (service subscriber) that is ../data/rfc/rfc3334.txt: responsible for payment. For initiation of an accounting process, a ../data/rfc/rfc3334.txt- user or foreign provider must be authenticated and authorized. These ../data/rfc/rfc3334.txt: three functions can be performed by the AAA server. The accounting ../data/rfc/rfc3334.txt: process is configured through accounting policies. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Charging ../data/rfc/rfc3334.txt: Charging derives non-monetary costs for accounting data sets based on ../data/rfc/rfc3334.txt- service and customer specific tariff parameters. Different cost ../data/rfc/rfc3334.txt: metrics may be applied to the same accounting records even in ../data/rfc/rfc3334.txt- parallel. Charging policies define the tariffs and parameters which ../data/rfc/rfc3334.txt- are applied. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 13] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Billing ../data/rfc/rfc3334.txt- Billing translates costs calculated by the Charging into monetary ../data/rfc/rfc3334.txt- units and generates a final bill for the customer. Billing policies -- ../data/rfc/rfc3334.txt- the bill (e.g. itemized or not, partial anyomization, etc.) and the ../data/rfc/rfc3334.txt- time for billing (e.g. weekly, monthly, etc.). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- We propose to use policies expressed in a standardized way to ../data/rfc/rfc3334.txt- appropriately configure the meter, meter data collection and ../data/rfc/rfc3334.txt: accounting processes. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:6. Accounting Policies ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting policies describe rules for generation, transport and ../data/rfc/rfc3334.txt: storage of accounting data. They can be exchanged between AAA ../data/rfc/rfc3334.txt- instances at the user or provider premises. They provide a ../data/rfc/rfc3334.txt- standardized representation of configuration information that can be ../data/rfc/rfc3334.txt- converted into the appropriate settings for different elements of the ../data/rfc/rfc3334.txt: accounting infrastructures (e.g. different meters). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: As shown in Figure 2, accounting policies configure the accounting ../data/rfc/rfc3334.txt- process. Policies for the configuration of the metering and ../data/rfc/rfc3334.txt: collection process can be derived from accounting policies. ../data/rfc/rfc3334.txt: Accounting policies are not used to configure the charging or billing ../data/rfc/rfc3334.txt: process. Accounting policies reside in the AAA server (local ../data/rfc/rfc3334.txt- policies) or are received from other AAA servers (extra-domain ../data/rfc/rfc3334.txt- policies) or customers/users. Two different models of obtaining ../data/rfc/rfc3334.txt: accounting policies can be differentiated: push and pull model. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Push Model ../data/rfc/rfc3334.txt: In the push model, accounting policies are pushed from another AAA ../data/rfc/rfc3334.txt- server or customer/user in order to establish the policies in the ../data/rfc/rfc3334.txt: local accounting infrastructure. The acceptance and use of pushed ../data/rfc/rfc3334.txt- policies requires special security considerations. The evaluation of ../data/rfc/rfc3334.txt- the policy should not take place without an appropriate security ../data/rfc/rfc3334.txt- check of the policy in advance. Also, the evaluation of the ../data/rfc/rfc3334.txt- condition can lead to unwanted actions in the AAA server if the ../data/rfc/rfc3334.txt- condition contains critical data either intentionally (to attack the -- ../data/rfc/rfc3334.txt- the condition, has to be checked for potential security hazards ../data/rfc/rfc3334.txt- before it is evaluated. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Pull Model ../data/rfc/rfc3334.txt- In the pull model, the AAA server requests the policy from a remote ../data/rfc/rfc3334.txt: AAA server or customer/user by sending an accounting policy request. ../data/rfc/rfc3334.txt: The remote AAA server sends an accounting policy reply as an answer ../data/rfc/rfc3334.txt- that contains the appropriate policy. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 14] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting policies are enforced by the network elements that are ../data/rfc/rfc3334.txt- configured in accordance with the policies. They influence the ../data/rfc/rfc3334.txt: following settings in the accounting architecture: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - meter configuration ../data/rfc/rfc3334.txt- - data collection and aggregation ../data/rfc/rfc3334.txt: - accounting record distribution and storage ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:6.1 Accounting Policy Condition ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: An accounting policy consists of one or more rules, each having a ../data/rfc/rfc3334.txt- condition part and an action part. The condition part expresses ../data/rfc/rfc3334.txt- under which condition the policy should be enforced. The following ../data/rfc/rfc3334.txt- attributes are examples for variables in a policy condition ../data/rfc/rfc3334.txt- statement. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - customer/user ID ../data/rfc/rfc3334.txt- The customer/user ID identifies the customer or user of the service. ../data/rfc/rfc3334.txt- It can be used in a policy condition in order to select a customer or ../data/rfc/rfc3334.txt: user specific accounting configuration (as policy action). For ../data/rfc/rfc3334.txt: example, it can be user-dependent whether accounting indications are ../data/rfc/rfc3334.txt- sent to the user or not. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - IP address ../data/rfc/rfc3334.txt- IP addresses specify the devices or networks from which the service ../data/rfc/rfc3334.txt- usage takes place. The address of specific hosts or subnets can be ../data/rfc/rfc3334.txt: used to select accounting strategies specific to the customer or a ../data/rfc/rfc3334.txt- user group associated with this address (e.g. all customers of an ../data/rfc/rfc3334.txt- ISP, all public terminals etc.). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - time of day ../data/rfc/rfc3334.txt- The time of day can be used, for instance, to configure the level of ../data/rfc/rfc3334.txt: detail for the accounting record, the report interval and the ../data/rfc/rfc3334.txt- destination. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - service class ../data/rfc/rfc3334.txt- Service classes are defined by the provider. They describe different ../data/rfc/rfc3334.txt- levels or different kinds of services that are offered by the ../data/rfc/rfc3334.txt- provider and are usually defined based on a business model. ../data/rfc/rfc3334.txt- Customers/users select a service class. This selected class can be ../data/rfc/rfc3334.txt: used in accounting policies to define appropriate accounting settings ../data/rfc/rfc3334.txt- per class. With this it is possible, for instance, to provide more ../data/rfc/rfc3334.txt: detailed accounting records for higher prioritized services than for ../data/rfc/rfc3334.txt- standard services. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 15] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - accounting type ../data/rfc/rfc3334.txt: Accounting types combine multiple accounting settings under one ../data/rfc/rfc3334.txt: keyword. Like service classes, the offered accounting types are ../data/rfc/rfc3334.txt- defined by the provider in accordance with the business model. With ../data/rfc/rfc3334.txt: this, providers can offer, for instance, different accounting types ../data/rfc/rfc3334.txt- for one service and allow the customer/user to select one. The ../data/rfc/rfc3334.txt- combination of settings under one keyword simplifies the selection ../data/rfc/rfc3334.txt: for users. An example is the combination of high granular accounting ../data/rfc/rfc3334.txt- records with short report intervals under a keyword (e.g. ../data/rfc/rfc3334.txt: "comprehensive accounting"), or less frequent generation of less ../data/rfc/rfc3334.txt: detailed records accessed by another keyword ("standard accounting"). ../data/rfc/rfc3334.txt: The definition of accounting types can also help in inter-domain ../data/rfc/rfc3334.txt: scenarios if providers agree on accounting types. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:6.2 Accounting Policy Action ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The action part defines the action that takes place if the condition ../data/rfc/rfc3334.txt: is true. The action for an accounting policy is usually the ../data/rfc/rfc3334.txt: configuration of the accounting infrastructure. This can already ../data/rfc/rfc3334.txt- include settings for meters and collection entities. The following ../data/rfc/rfc3334.txt: list gives examples for parameters of the accounting infrastructure ../data/rfc/rfc3334.txt: that can be configured by an accounting policy action: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - accounting record type/structure ../data/rfc/rfc3334.txt: The required accounting data depends on the charging scheme. ../data/rfc/rfc3334.txt: Therefore, different accounting records should be supported. There ../data/rfc/rfc3334.txt- are two possibilities: Either different record types are defined, or ../data/rfc/rfc3334.txt- a flexible record is used that consists of a variable set of ../data/rfc/rfc3334.txt: accounting attributes. Accounting policies can be used to ../data/rfc/rfc3334.txt: communicate to neighbor providers which kind of accounting record is ../data/rfc/rfc3334.txt- needed to provide appropriate data for the charging scheme. The ../data/rfc/rfc3334.txt: specification of the required accounting attributes can influence the ../data/rfc/rfc3334.txt: settings of different components of the accounting architecture (e.g. ../data/rfc/rfc3334.txt: which attributes have to be measured). An overview of accounting ../data/rfc/rfc3334.txt- attributes and records can be found in [RFC2924]. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - accounting record destination ../data/rfc/rfc3334.txt: The accounting record destination describes to which entities ../data/rfc/rfc3334.txt: accounting records are sent. The accounting record destination can ../data/rfc/rfc3334.txt- be a charging entity, a neighbor provider, a user entity or a ../data/rfc/rfc3334.txt- specific database. In these cases, authentication and authorization ../data/rfc/rfc3334.txt- mechanisms have to be applied in order to ensure that unauthorized ../data/rfc/rfc3334.txt- entities cannot get access to confidential data. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - report interval ../data/rfc/rfc3334.txt: The report interval specifies in what time intervals accounting ../data/rfc/rfc3334.txt- records are generated and sent. This influences the configuration of ../data/rfc/rfc3334.txt: meters and collectors in the accounting architecture. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 16] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - storage time ../data/rfc/rfc3334.txt: If the accounting record destination is a database or a log file, the ../data/rfc/rfc3334.txt: storage time specifies how long the accounting records have to be ../data/rfc/rfc3334.txt- stored. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - access list ../data/rfc/rfc3334.txt- The access list specifies who has the permissions to read the stored ../data/rfc/rfc3334.txt: accounting records. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - flow granularity ../data/rfc/rfc3334.txt- The flow granularity determines how fine grained (in coverage) the ../data/rfc/rfc3334.txt- flows in the network are measured. The granularity usually is ../data/rfc/rfc3334.txt- configured by installing specific classification rules in the meter. -- ../data/rfc/rfc3334.txt- used to configure sampling schemes. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-6.3 Example for Meter Configuration ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Note: In the following examples, the use of NeTraMet or NetFlow to ../data/rfc/rfc3334.txt: collect accounting information does not guarantee exact ../data/rfc/rfc3334.txt: accounting data, so it is not recommended for use in situations ../data/rfc/rfc3334.txt: where exact accounting data are needed. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The following two examples show how accounting policies can be used ../data/rfc/rfc3334.txt: to configure different meters. The accounting policy is sent from ../data/rfc/rfc3334.txt- the AAA server to the ASM and there converted to the appropriate ../data/rfc/rfc3334.txt- configuration information for the used meter. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- If the meter NeTraMet [RFC2123] is used, the policy is converted into ../data/rfc/rfc3334.txt- a NeTraMet ruleset that contains the relevant flows, attributes and -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 17] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | AAA | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt: Policy | | Accounting Records ../data/rfc/rfc3334.txt- V | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ASM | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- | config +-----------------+ ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +-------------------------------+ | ../data/rfc/rfc3334.txt: | | Accounting | | ../data/rfc/rfc3334.txt- | V | | ../data/rfc/rfc3334.txt- | +----------------+ | | ../data/rfc/rfc3334.txt: | | Meter Manager | | | Accounting Records ../data/rfc/rfc3334.txt- | +----------------+ | | ../data/rfc/rfc3334.txt- | | | | | ../data/rfc/rfc3334.txt- | SNMP V | | ../data/rfc/rfc3334.txt- | (conf)+---------------+ | | ../data/rfc/rfc3334.txt- | | | Meter Reader |---------+ -- ../data/rfc/rfc3334.txt- | | Meter |-----+ | ../data/rfc/rfc3334.txt- | +-----------+ SNMP(DATA) | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +-------------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 3: Policy based Accounting with NeTraMet ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- If the meter NetFlow [NetFlow] is used, the meter policies are ../data/rfc/rfc3334.txt- translated by the ASM into filter instructions for the flow ../data/rfc/rfc3334.txt- collector. The meter itself is static and therefore is not affected ../data/rfc/rfc3334.txt- by the configuration information. -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 18] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | AAA | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt: Policy | | Accounting Records ../data/rfc/rfc3334.txt- V | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ASM | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +------------------+ ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt: | config | Accounting Records ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +-------------------------------+ ../data/rfc/rfc3334.txt: | | Accounting | ../data/rfc/rfc3334.txt- | | | ../data/rfc/rfc3334.txt- | | +---------------------+ | ../data/rfc/rfc3334.txt- | | | Flow Collector | | ../data/rfc/rfc3334.txt- | | | +------------+ | | ../data/rfc/rfc3334.txt- | | | | Classifier | | | -- ../data/rfc/rfc3334.txt- | | Meter |-----+ | ../data/rfc/rfc3334.txt- | +-----------+ UDP (DATA) | ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +-------------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 4: Policy based Accounting with NetFlow ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:7. Accounting Services ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting can be seen as part of the service provisioning process ../data/rfc/rfc3334.txt: (integrated accounting) or as a separate service (discrete ../data/rfc/rfc3334.txt: accounting). The different views and their impact on the accounting ../data/rfc/rfc3334.txt- architecture are described below. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:7.1 Integrated Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: In the integrated accounting model, the accounting is seen as part of ../data/rfc/rfc3334.txt: the provisioned service. That means the accounting is coupled with a ../data/rfc/rfc3334.txt: specific service. Therefore, the accounting process is tailored to ../data/rfc/rfc3334.txt: the specific service and might collect accounting information by ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 19] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- directly exploiting some service specific entities. For example, ../data/rfc/rfc3334.txt: accounting for IP telephony could use call signaling information from ../data/rfc/rfc3334.txt: a SIP server. The configuration of the accounting architecture is ../data/rfc/rfc3334.txt- done as part of the user configuration of the service equipment. ../data/rfc/rfc3334.txt: Accounting policies are defined as part of the contractual agreement. ../data/rfc/rfc3334.txt- The ASM converts the instructions from the AAA server into the ../data/rfc/rfc3334.txt: appropriate user configuration including settings for the accounting ../data/rfc/rfc3334.txt- architecture. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +---------------------+ ../data/rfc/rfc3334.txt- <---1--->| Generic AAA Server |<---1---> ../data/rfc/rfc3334.txt- | | ............ -- ../data/rfc/rfc3334.txt- | ../data/rfc/rfc3334.txt- V ../data/rfc/rfc3334.txt- +-------------------------------------+ ../data/rfc/rfc3334.txt- | Service | ../data/rfc/rfc3334.txt- | +-----------+ +----------------+ | .............. ../data/rfc/rfc3334.txt: | | Service |<-->| Accounting/ |<--3-->: Accounting : ../data/rfc/rfc3334.txt- | | Provision | | Metering | | : Data : ../data/rfc/rfc3334.txt- | +-----------+ +----------------+ | :............: ../data/rfc/rfc3334.txt- +-------------------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 5: AAA Server with Integrated Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Data about the resource consumption is sent back to the AAA server ../data/rfc/rfc3334.txt: via the ASM. The accounting process within the service converts the ../data/rfc/rfc3334.txt: metered data into accounting records which are sent to the AAA ../data/rfc/rfc3334.txt: server. For generating accounting records data conversion, ../data/rfc/rfc3334.txt- aggregation and filtering of data might be performed. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 20] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:7.2 Discrete Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: In contrast to the integrated accounting approach, accounting can ../data/rfc/rfc3334.txt- also be seen as a separate or discrete service on its own. In this ../data/rfc/rfc3334.txt: case the accounting does not have to be coupled with a specific ../data/rfc/rfc3334.txt: service. Discrete Accounting can be used for outsourcing the ../data/rfc/rfc3334.txt: accounting task. The accounting service can be provided by a general ../data/rfc/rfc3334.txt: accounting system which is able to account for different services. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: For example, a generalized meter can do accounting for web traffic, ../data/rfc/rfc3334.txt: FTP traffic and voice over IP traffic. If accounting is a separate ../data/rfc/rfc3334.txt: service, one provider can do the accounting (charging and billing) ../data/rfc/rfc3334.txt: for several other service providers. Accounting is offered just like ../data/rfc/rfc3334.txt- any other service. This means authentication and authorization might ../data/rfc/rfc3334.txt: be required prior to the accounting service provisioning. ../data/rfc/rfc3334.txt- Furthermore, it is important that the involved parties agree ../data/rfc/rfc3334.txt: beforehand how the accounting service is provided, what parameters ../data/rfc/rfc3334.txt: can be set and how disputes will be resolved. After the accounting ../data/rfc/rfc3334.txt- service has been configured, the AAA server can do the user ../data/rfc/rfc3334.txt- configuration of the service. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +---------------------+ ../data/rfc/rfc3334.txt- <---1--->| Generic AAA Server |<---1---> -- ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- 5 5 ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- V V ../data/rfc/rfc3334.txt- +-------------+ +---------------+ .............. ../data/rfc/rfc3334.txt: | Service | | Accounting/ |<--3-->: Accounting : ../data/rfc/rfc3334.txt- | | | Metering | : Data : ../data/rfc/rfc3334.txt- +-------------+ +---------------+ :............: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 6: AAA Server with Discrete Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 21] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: A service provider that has outsourced the accounting service has to ../data/rfc/rfc3334.txt: request this service from an accounting service provider. The ../data/rfc/rfc3334.txt: generated accounting records are sent from the accounting provider to ../data/rfc/rfc3334.txt- the service provider who may make modifications to the records before ../data/rfc/rfc3334.txt- sending them to the final destination. Having such a general ../data/rfc/rfc3334.txt: accounting service might speed up the creation of new services - ../data/rfc/rfc3334.txt- especially specialized content services - in the Internet. This ../data/rfc/rfc3334.txt: separation is also beneficial to support special accounting services ../data/rfc/rfc3334.txt: (e.g. sending accounting indications to users) that are not directly ../data/rfc/rfc3334.txt- coupled to a network service. Furthermore, this separation is useful ../data/rfc/rfc3334.txt: if the same set of accounting strategies can be applied to different ../data/rfc/rfc3334.txt- services (e.g. different tariffs which can be used for a set of ../data/rfc/rfc3334.txt- services). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Another option is to outsource only the metering service. The meter ../data/rfc/rfc3334.txt- service provider generates meter data and sends them to the service ../data/rfc/rfc3334.txt- provider who has requested them. The service provider then generates ../data/rfc/rfc3334.txt: accounting records based on the received meter data. A separate ../data/rfc/rfc3334.txt: accounting or metering service provider can be used to validate the ../data/rfc/rfc3334.txt: accounting data generated by a service provider. If the customer ../data/rfc/rfc3334.txt- does not trust a service provider, or in the case of a legal action, ../data/rfc/rfc3334.txt: a trusted accounting or metering provider is able to validate the ../data/rfc/rfc3334.txt: correctness of the accounting data generated by the service provider. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:7.3 Intra-Domain Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: In Intra-Domain accounting [RFC2975], the data about resource ../data/rfc/rfc3334.txt- consumption is collected in one administrative domain for usage in ../data/rfc/rfc3334.txt: that domain. Accounting policies are enforced locally. Since no ../data/rfc/rfc3334.txt: exchange of accounting data with other domains is required in this ../data/rfc/rfc3334.txt: scenario, accounting policies do not need to be exchanged with other ../data/rfc/rfc3334.txt- entities. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 22] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +-------------+ ../data/rfc/rfc3334.txt- | Billing | ../data/rfc/rfc3334.txt- +-------------+ -- ../data/rfc/rfc3334.txt- +-------------+ ../data/rfc/rfc3334.txt- | ASM | ../data/rfc/rfc3334.txt- +-------------+ ../data/rfc/rfc3334.txt- ^ ../data/rfc/rfc3334.txt- | .............. ../data/rfc/rfc3334.txt: +--------------+ : Accounting : ../data/rfc/rfc3334.txt- | AAA |<--->: Policies : ../data/rfc/rfc3334.txt- +--------------+ :............: ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- V | ../data/rfc/rfc3334.txt- +--------------+ ../data/rfc/rfc3334.txt- | ASM | ../data/rfc/rfc3334.txt- +--------------+ ../data/rfc/rfc3334.txt- | ^ ../data/rfc/rfc3334.txt: config | | Accounting Records ../data/rfc/rfc3334.txt- V | ../data/rfc/rfc3334.txt- +------------+ +-----------|----------+ ../data/rfc/rfc3334.txt- | | Service usage | +--------+-------+ | ../data/rfc/rfc3334.txt: | End System |-------------->| | Accounting | | ../data/rfc/rfc3334.txt- | | | +----------------+ | ../data/rfc/rfc3334.txt- +------------+ | | ../data/rfc/rfc3334.txt- | Service | ../data/rfc/rfc3334.txt- +----------------------+ ../data/rfc/rfc3334.txt- User Provider ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 7: Intra-Domain Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:7.4 Inter-Domain Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: For Inter-Domain Accounting, at least two administratively separated ../data/rfc/rfc3334.txt: networks are involved in the accounting process. These can be a ../data/rfc/rfc3334.txt- Home- and a Foreign-Provider in a Roaming/Mobile IP Scenario ../data/rfc/rfc3334.txt- [RFC2002] or a chain of providers if service provisioning involves ../data/rfc/rfc3334.txt- data transfer and/or services from different domains. In these ../data/rfc/rfc3334.txt: scenarios, the exchange of accounting policies between providers is ../data/rfc/rfc3334.txt: necessary if accounting tasks are delegated to one provider or shared ../data/rfc/rfc3334.txt: among multiple providers. The exchange of accounting policies is ../data/rfc/rfc3334.txt- done by the AAA servers as shown in the figure below. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 23] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- | +-----------+ ../data/rfc/rfc3334.txt- | | Billing | ../data/rfc/rfc3334.txt- | +-----------+ -- ../data/rfc/rfc3334.txt- | | | ../data/rfc/rfc3334.txt- | | Acct. Records | ../data/rfc/rfc3334.txt- Service V | | ../data/rfc/rfc3334.txt- +------------+ usage +-----------|----------+ | ../data/rfc/rfc3334.txt- | | | +--------+-------+ | | ../data/rfc/rfc3334.txt: | End System |------>| | Accounting | | | ../data/rfc/rfc3334.txt- | | | +----------------+ | | ../data/rfc/rfc3334.txt- +------------+ | | | ../data/rfc/rfc3334.txt- | Service | | ../data/rfc/rfc3334.txt- +----------------------+ | ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- User Foreign-Provider Home-Provider ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 8: Inter-Domain Accounting (Roaming Example) ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In this example, the foreign provider takes over the collection of ../data/rfc/rfc3334.txt: accounting data. The home provider is responsible for applying a ../data/rfc/rfc3334.txt- charging scheme and sending the bill. Therefore, the home provider ../data/rfc/rfc3334.txt: needs accounting data from the foreign provider. In order to ../data/rfc/rfc3334.txt: instruct the foreign provider about the desired accounting record ../data/rfc/rfc3334.txt: type and report frequency, the home AAA server sends an accounting ../data/rfc/rfc3334.txt- policy indication to the foreign AAA server. The indication contains ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 24] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: the accounting policy. Instead of sending an indication, the ../data/rfc/rfc3334.txt: accounting policies could also be piggy backed onto an authorization ../data/rfc/rfc3334.txt- reply. If the foreign AAA server is able to configure devices in a ../data/rfc/rfc3334.txt- way to enforce the desired policy (e.g. the meters are capable of ../data/rfc/rfc3334.txt: metering the requested attributes) the accounting policy indication ../data/rfc/rfc3334.txt- is acknowledged. In case the requested policy cannot be enforced, ../data/rfc/rfc3334.txt: the accounting service is denied. Reasons to deny the enforcement of ../data/rfc/rfc3334.txt: a specific accounting policy could be, e.g. because the meter is not ../data/rfc/rfc3334.txt- capable of measuring the requested attributes or the frequency of ../data/rfc/rfc3334.txt- records cannot be provided, or the home provider is not authorized to ../data/rfc/rfc3334.txt- get the requested detailed data. In this case procedures would be ../data/rfc/rfc3334.txt- useful to negotiate the smallest common denominator for the involved ../data/rfc/rfc3334.txt: AAA servers regarding the provisioning of accounting data. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:8. Accounting with different Authorization Models ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The AAA authorization framework [RFC2904] introduces different ../data/rfc/rfc3334.txt- message sequences for authorization. The integration of configurable ../data/rfc/rfc3334.txt: accounting services for the message sequences can be done as ../data/rfc/rfc3334.txt- described in the following sections. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-8.1 Agent Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The appropriate accounting policy for the authorized service is ../data/rfc/rfc3334.txt- either stored together with the authorization policy or in a separate ../data/rfc/rfc3334.txt: repository. The configuration of the accounting infrastructure can ../data/rfc/rfc3334.txt- be done together with the user configuration of the service equipment ../data/rfc/rfc3334.txt- (messages 2 and 3 in Figure 9). User-specific configuration of the ../data/rfc/rfc3334.txt: service equipment and the accounting infrastructure configuration ../data/rfc/rfc3334.txt- might involve the transfer of configuration data to multiple entities ../data/rfc/rfc3334.txt- in the network (e.g. to different routers for setting up QoS ../data/rfc/rfc3334.txt: provisioning or to dedicated accounting meters). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 25] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- +------+ | Service Provider | ../data/rfc/rfc3334.txt- | | 1 | +-------------------+ | -- ../data/rfc/rfc3334.txt- | | | | Equipment | | ../data/rfc/rfc3334.txt- | | | +-------------------+ | ../data/rfc/rfc3334.txt- +------+ | | ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 9: Accounting and Agent Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In the agent sequence, it is possible to allow the user to send ../data/rfc/rfc3334.txt: accounting policies (e.g. for accounting indications) together with ../data/rfc/rfc3334.txt- the authorization request to the AAA server. Figure 9 shows the ../data/rfc/rfc3334.txt: agent sequence authorization and accounting messages. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-8.2 Pull Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The configuration of the accounting infrastructure can be done ../data/rfc/rfc3334.txt- similar to the agent sequence during the user configuration of the ../data/rfc/rfc3334.txt- service equipment. Since the pull sequence does not involve the ../data/rfc/rfc3334.txt- sending of a specific authorization request (e.g. if the service ../data/rfc/rfc3334.txt- equipment is a Network Access Server (NAS) and the authorization ../data/rfc/rfc3334.txt- sequence simply starts with the dial-in process), it would need ../data/rfc/rfc3334.txt: additional communication to support accounting policy indications ../data/rfc/rfc3334.txt- from users. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 26] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- +------+ | Service Provider | ../data/rfc/rfc3334.txt- | |AccPolInd +-------------------+ | -- ../data/rfc/rfc3334.txt- | |<------+--| Equipment | | ../data/rfc/rfc3334.txt- | | 4 | +-------------------+ | ../data/rfc/rfc3334.txt- +------+ | | ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 10: Accounting and Pull Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This can be, for instance, achieved by a hybrid model of agent and ../data/rfc/rfc3334.txt: pull sequence where the user sends an accounting policy indication to ../data/rfc/rfc3334.txt- the AAA server in addition to the messages exchange for the pull ../data/rfc/rfc3334.txt- sequence. Figure 10 shows the pull sequence authorization and ../data/rfc/rfc3334.txt: accounting messages. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-8.3 Push Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In the push sequence, there is no direct connection between the AAA ../data/rfc/rfc3334.txt- server and the service equipment. In this sequence there are three ../data/rfc/rfc3334.txt: possibilities for setting up the accounting infrastructure: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: a) A standard fixed accounting procedure that has been assigned in ../data/rfc/rfc3334.txt- advance for the specific combination of authorized user and service ../data/rfc/rfc3334.txt- is used. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- b) The ticket (message 3 in Figure 11) contains information about the ../data/rfc/rfc3334.txt: accounting policies used (e.g. different tickets for the same service ../data/rfc/rfc3334.txt: with different accounting policies). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- c) The ticket acts as a kind of digital coin and no further ../data/rfc/rfc3334.txt: accounting is needed. This model also supports the anonymous usage ../data/rfc/rfc3334.txt- of a service. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 27] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 11 shows push sequence authorization and accounting messages. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- +------+ | Service Provider | ../data/rfc/rfc3334.txt- | | 1 | +-------------------+ | ../data/rfc/rfc3334.txt- | |------+->| AAA Server | | -- ../data/rfc/rfc3334.txt- | |<-----+--| Equipment | | ../data/rfc/rfc3334.txt- | | 4 | +-------------------+ | ../data/rfc/rfc3334.txt- +------+ | | ../data/rfc/rfc3334.txt- +-------------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 11: Accounting and Push Sequence ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-8.4 Roaming ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- If the provisioning of the service and the final authentication/ ../data/rfc/rfc3334.txt: authorization process is done by different organizations, accounting ../data/rfc/rfc3334.txt- is rather coupled to the service provisioning process than to the ../data/rfc/rfc3334.txt- authentication/authorization process. Since the data doesn't have to ../data/rfc/rfc3334.txt- traverse the home providers network, the home provider has no ../data/rfc/rfc3334.txt- possibility of collecting data about the resource consumption. ../data/rfc/rfc3334.txt: Therefore, accounting will usually take place in the foreign provider ../data/rfc/rfc3334.txt- domain (i.e. in the domain that does the service provisioning). ../data/rfc/rfc3334.txt- Nevertheless, in order to ensure consistency of the authentication, ../data/rfc/rfc3334.txt: authorization and accounting processes (e.g. allocation of user IDs ../data/rfc/rfc3334.txt: to accounting records) and the production of a bill, a connection ../data/rfc/rfc3334.txt: between the accounting process in the service provisioning domain and ../data/rfc/rfc3334.txt- the deciding authentication/authorization process (e.g. at the home ../data/rfc/rfc3334.txt- provider) is needed. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- A possible way of doing this is if the foreign provider gets the ../data/rfc/rfc3334.txt: accounting policies from the home provider and sets up the accounting ../data/rfc/rfc3334.txt- architecture in accordance to the given policies, the foreign ../data/rfc/rfc3334.txt: provider can generate accounting records and send them back to the ../data/rfc/rfc3334.txt- home provider. The home provider then can apply charging and can ../data/rfc/rfc3334.txt- produce a bill. An example for this is given in section 9.2. This ../data/rfc/rfc3334.txt- scenario requires a prior agreement between the involved providers ../data/rfc/rfc3334.txt- about the possible policies and parameters that are allowed to be ../data/rfc/rfc3334.txt- set. -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 28] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-9. Examples ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The following examples illustrate the use of policy-based accounting. ../data/rfc/rfc3334.txt- Please note that the services used in the examples are used only for ../data/rfc/rfc3334.txt- illustration purposes and their use in reality requires different ../data/rfc/rfc3334.txt- messages and parameters. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-9.1 Printing Service Example ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The Internet Printing Protocol (IPP) [RFC2566], and especially the ../data/rfc/rfc3334.txt- "print-by-reference" model, provides a very interesting example ../data/rfc/rfc3334.txt: scenario for accounting and the interaction between authorization and ../data/rfc/rfc3334.txt: accounting. We will describe possible solutions for the accounting ../data/rfc/rfc3334.txt: of this service and how the accounting is triggered by the ../data/rfc/rfc3334.txt- authorization. We will show how the model presented above can be ../data/rfc/rfc3334.txt- used for this example. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- IPP "print-by-reference" allows a user to request a print service to ../data/rfc/rfc3334.txt- print a particular file. The file to be printed is not on the client ../data/rfc/rfc3334.txt- system but rather on a public server. That is, the clients print ../data/rfc/rfc3334.txt- request can contain a reference, or pointer, to the document instead ../data/rfc/rfc3334.txt- of the actual document itself. The print service must then read the ../data/rfc/rfc3334.txt- file to a file server (used for spooling) prior to the printing. ../data/rfc/rfc3334.txt- There are two possible setups: The file and print server either ../data/rfc/rfc3334.txt: belong to a single organization (Intra-Domain Accounting) or to two ../data/rfc/rfc3334.txt: different organizations (Inter-Domain Accounting). In the first ../data/rfc/rfc3334.txt- case, the user must be authorized by a single service provider for ../data/rfc/rfc3334.txt- service usage. In the second case, two different possibilities for ../data/rfc/rfc3334.txt- establishing a trust relationships between the involved entities have ../data/rfc/rfc3334.txt- to be distinguished [RFC2905]. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:9.1.1 Intra-Domain Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In the case of a single organization, the file and print service is ../data/rfc/rfc3334.txt- provided by a single service provider. The service subscriber and ../data/rfc/rfc3334.txt- user role are either one entity (e.g. private home user) or different ../data/rfc/rfc3334.txt- entities (e.g. company as subscriber, employee as user). For data ../data/rfc/rfc3334.txt- transport via the underlying network, the transportation service of a ../data/rfc/rfc3334.txt- network provider is used. In this case, the AAA server of the ../data/rfc/rfc3334.txt- provider controls the access to the file and the print server. This ../data/rfc/rfc3334.txt: means the AAA server enforces the accounting policies and collects ../data/rfc/rfc3334.txt: accounting data for both servers. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 29] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:9.1.2 Inter-Domain Accounting ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- If two different organizations are involved there are two ../data/rfc/rfc3334.txt- possibilities for trust relationships as shown in [RFC2905]: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- 1. The user has an agreement with the print server; the print -- ../data/rfc/rfc3334.txt- 2. The user has agreements with both print and file server. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In case 1, the user is first authorized by the print service and the ../data/rfc/rfc3334.txt- request is forwarded to the file server. The file server authorizes ../data/rfc/rfc3334.txt- the print server and determines if the printer is allowed to access ../data/rfc/rfc3334.txt: the file. In this case which is shown in Figure 12, the accounting ../data/rfc/rfc3334.txt- policies from the user arrive at the print service AAA server. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- USER DOMAIN PRINT SERVICE DOMAIN FILE SERVICE DOMAIN ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- +------+ | | -- ../data/rfc/rfc3334.txt- | | | | and Printer | | | | ../data/rfc/rfc3334.txt- +------+ | +--------------------+ | +-------------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- 1: AccPolInd, 2: AccPolConf ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 12: Inter-Domain Accounting and Printing Service ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The print service AAA server has to decide which policies can be ../data/rfc/rfc3334.txt- enforced locally and which must be passed further to the file service ../data/rfc/rfc3334.txt: AAA server. The print service can add additional accounting ../data/rfc/rfc3334.txt- policies. In case the file server does not support the desired ../data/rfc/rfc3334.txt: accounting policies, the print server must notify the user's AAA ../data/rfc/rfc3334.txt- server and some policy conflict resolution must occur. After the ../data/rfc/rfc3334.txt- file server has transferred the file to the print service, it ../data/rfc/rfc3334.txt: generates an accounting record according to the accounting policy and ../data/rfc/rfc3334.txt- passes it to the print service. The print service generates the ../data/rfc/rfc3334.txt: final accounting record for the service session based on its own and ../data/rfc/rfc3334.txt- the file service data after finishing printing. This record will be ../data/rfc/rfc3334.txt- used for the later billing process. Additionally, the print server ../data/rfc/rfc3334.txt- can send the final record to the user's AAA server. There it can be ../data/rfc/rfc3334.txt- used for later authorization decisions based on used resources, i.e. ../data/rfc/rfc3334.txt- if the customer is a company and the user is an employee. -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 30] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In case 2, the customer AAA server has an agreement with file and ../data/rfc/rfc3334.txt: print server. In this case, the user's AAA server sends accounting ../data/rfc/rfc3334.txt- policies to the file and the print server. After finishing the ../data/rfc/rfc3334.txt: service, both servers generate accounting records for the delivered ../data/rfc/rfc3334.txt- services which are used for later billing. As in the former case, ../data/rfc/rfc3334.txt: the accounting data can be sent to the user's AAA server for use in ../data/rfc/rfc3334.txt- later authorization decisions. The user's AAA server can tie both ../data/rfc/rfc3334.txt: accounting records together and assign them to the user using audited ../data/rfc/rfc3334.txt: session information (authorization and accounting messages for a ../data/rfc/rfc3334.txt- particular session could be coupled via a session ID) and policies ../data/rfc/rfc3334.txt- that define which activities a certain session is composed of. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:9.1.3 User Accounting Indication ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- For the printing service, there are a number of possible options for ../data/rfc/rfc3334.txt: sending accounting indications to the user. Accounting indications ../data/rfc/rfc3334.txt- give the user an indication of how much resources have been used ../data/rfc/rfc3334.txt: until the time of the indication. A user can receive accounting ../data/rfc/rfc3334.txt: indications or not depending on the accounting policy for the user. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- For Internet printing with the "print-by-reference" model, such ../data/rfc/rfc3334.txt- indications would be very helpful for the user. Since the file is ../data/rfc/rfc3334.txt- not on the clients site, the user might not have information on the ../data/rfc/rfc3334.txt- file size or the number of pages that will be printed. This means ../data/rfc/rfc3334.txt- the user has no idea of the costs of the service usage. If user and ../data/rfc/rfc3334.txt: subscriber are a single entity, accounting indications would help ../data/rfc/rfc3334.txt- users to avoid exceeding their spending limit. Additionally, ../data/rfc/rfc3334.txt: accounting indications give the user a hint as to which resource ../data/rfc/rfc3334.txt- usage has caused the charges. This can be compared to an itemized ../data/rfc/rfc3334.txt- telephony bill where not only the monetary sum per month is printed ../data/rfc/rfc3334.txt- but, in addition, information for every call (start time, duration, ../data/rfc/rfc3334.txt- distance etc.) and its corresponding charge. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-9.2 Mobile/Roaming Example ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In this section, the "Dial-in with Roaming" example from the ../data/rfc/rfc3334.txt- authorization examples [RFC2905], [RFC2002] is used to show how ../data/rfc/rfc3334.txt: accounting functions could interact with authorization functions. ../data/rfc/rfc3334.txt: The accounting modules (e.g. collectors and meters) are seen here as ../data/rfc/rfc3334.txt- part of the service equipment which is, in this example, located at ../data/rfc/rfc3334.txt: the visited ISP premises. The basic configuration of the accounting ../data/rfc/rfc3334.txt- modules is probably done by the visited ISP itself, but the visited ../data/rfc/rfc3334.txt- ISP can allow the home ISP to influence certain parameters (like ../data/rfc/rfc3334.txt: report interval or accounting record format). This is useful if the ../data/rfc/rfc3334.txt- home provider generates the invoice and therefore needs appropriate ../data/rfc/rfc3334.txt: accounting records to calculate the prices. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 31] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- User | Visited ISP | Home ISP ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- | | +-----------+ .......... -- ../data/rfc/rfc3334.txt- | | 6 8 | ../data/rfc/rfc3334.txt- | | | | | ../data/rfc/rfc3334.txt- | +------------+------+-------+ | ../data/rfc/rfc3334.txt- 7 | | Service | | | | ../data/rfc/rfc3334.txt- <--------| Equipment | +----------+| | ../data/rfc/rfc3334.txt: 1 | | |->|Accounting|| | ../data/rfc/rfc3334.txt- -------->| | +----------+| | ../data/rfc/rfc3334.txt- | | config | | | | ../data/rfc/rfc3334.txt- | | | +---------+ | | ../data/rfc/rfc3334.txt- | | +->| Meters | | | ../data/rfc/rfc3334.txt- | | +---------+ | | -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 32] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The exchange of authorization data corresponds to the example in ../data/rfc/rfc3334.txt- [RFC2905]. As an additional component, we introduce an ASM between ../data/rfc/rfc3334.txt- home AAA and service equipment for the user configuration which -- ../data/rfc/rfc3334.txt- via the AAA sever of the visited ISP to the home AAA server. In step ../data/rfc/rfc3334.txt- (4), user specific service parameters are given to the visited ISP's ../data/rfc/rfc3334.txt- AAA server and are forwarded to the service equipment (5) where the ../data/rfc/rfc3334.txt- user configuration is done. The user-specific service parameters ../data/rfc/rfc3334.txt- could additionally include the desired policies for the configuration ../data/rfc/rfc3334.txt: of the accounting infrastructure of the visited ISP. An accounting ../data/rfc/rfc3334.txt: policy could be, for instance, "for user X one accounting record of ../data/rfc/rfc3334.txt: type Y has to be generated every 30 seconds". This accounting policy ../data/rfc/rfc3334.txt- is used by the visited ISP to configure his modules (e.g. metering, ../data/rfc/rfc3334.txt- data collection). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- User-dependent service parameters are converted by the ASM into the ../data/rfc/rfc3334.txt- appropriate configuration information (6). Then the user is informed ../data/rfc/rfc3334.txt- about the completed authentication/authorization process (7). The ../data/rfc/rfc3334.txt: accounting architecture starts metering the resource usage and sends ../data/rfc/rfc3334.txt- metering records to the ASM (8). The ASM uses the metered data to ../data/rfc/rfc3334.txt: fill the required accounting records and sends them to the visited ../data/rfc/rfc3334.txt- ISP's AAA server (9). The visited ISP can either post-process the ../data/rfc/rfc3334.txt- data or directly forward them to the home ISP (10). With this data ../data/rfc/rfc3334.txt- as input, an invoice is generated by the charging and billing modules ../data/rfc/rfc3334.txt- within the home providers domain (11) by using charging policies ../data/rfc/rfc3334.txt- (tariff formulas), and then sent to the user/customer (12). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: As an additional option, accounting records can also be offered to ../data/rfc/rfc3334.txt: the user (accounting indication) as a special service. For this ../data/rfc/rfc3334.txt- special service a separate authorization is required. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-9.3 Diffserv Example ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: This example explains how integrated accounting is configured via ../data/rfc/rfc3334.txt- policies for a Diffserv service [RFC2475] based on bandwidth brokers ../data/rfc/rfc3334.txt- [I2-BB]. The service is the transport of packets with a higher ../data/rfc/rfc3334.txt: priority and the service includes accounting and QoS auditing. ../data/rfc/rfc3334.txt- Figure 14 shows the service setup. The user issues a Service Request ../data/rfc/rfc3334.txt- (SR) for a Diffserv service to the AAA server. The request contains ../data/rfc/rfc3334.txt- a user ID and the parameter for the desired service class. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- User->AAA: user-x@nw-a, service=diffserv, class=gold, -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 33] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- In this example, user-x is located at network A (nw-a) and requests a ../data/rfc/rfc3334.txt- gold class service for all flows from this network to the destination ../data/rfc/rfc3334.txt- network B (nw-b). After authentication and authorization has been -- ../data/rfc/rfc3334.txt- dest=nw-b ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The ASM takes over the task of translating the application specific ../data/rfc/rfc3334.txt- information into appropriate user configuration information for the ../data/rfc/rfc3334.txt- service equipment. For the given Diffserv example, the service ../data/rfc/rfc3334.txt: equipment consists of three components: accounting equipment, the QoS ../data/rfc/rfc3334.txt- auditing equipment and the bandwidth broker architecture. The ASM ../data/rfc/rfc3334.txt- has to address all three components to set up the requested service ../data/rfc/rfc3334.txt- for the user. The translation of the ASI into configuration ../data/rfc/rfc3334.txt- information for the components can be done by evaluating service ../data/rfc/rfc3334.txt- provisioning policies. For example, the ASM could have the following ../data/rfc/rfc3334.txt- service provisioning policy: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- if class==gold { ../data/rfc/rfc3334.txt- set bw-request.class = gold ../data/rfc/rfc3334.txt: set accounting.type = comprehensive ../data/rfc/rfc3334.txt- set qos-audit.metric = one-way-delay ../data/rfc/rfc3334.txt- ... ../data/rfc/rfc3334.txt- } ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This results in sending a bandwidth request to the BB which asks for ../data/rfc/rfc3334.txt- a gold service with the given parameters. Furthermore, the ASM ../data/rfc/rfc3334.txt: issues a request to the accounting equipment for comprehensive ../data/rfc/rfc3334.txt: accounting and a request to the QoS auditing equipment for a one- ../data/rfc/rfc3334.txt- way-delay measurement between the given networks. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ASM->BB: BW-request(gold, src=nw-a, dest=nw-b, amount=2Mbit) ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ASM->Acct: Acct-request(comprehensive, src=nw-a) -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The bandwidth broker then sets up the Diffserv infrastructure to ../data/rfc/rfc3334.txt- provide the prioritized forwarding according to the definition of a ../data/rfc/rfc3334.txt- gold class. This is done in accordance with the actual bandwidth ../data/rfc/rfc3334.txt- broker's architecture and is not further considered here. For the ../data/rfc/rfc3334.txt: Accounting Configuration and the QoS Audit Control, local ../data/rfc/rfc3334.txt- configuration policies exist for setting up the service. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 34] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting-Policy: ../data/rfc/rfc3334.txt- if type==comprehensive { ../data/rfc/rfc3334.txt- set meter-location = access-point(nw-a) ../data/rfc/rfc3334.txt- set record type =detailed ../data/rfc/rfc3334.txt- set report interval = 120 s ../data/rfc/rfc3334.txt- set report target = 193.175.12.8 -- ../data/rfc/rfc3334.txt- set timestampsize = 48 bit ../data/rfc/rfc3334.txt- set ingress-meter-location = access-point(nw-a) ../data/rfc/rfc3334.txt- set egress-meter-location = access-point(nw-b) ../data/rfc/rfc3334.txt- } ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: In this case, the local accounting policy sets the meter location to ../data/rfc/rfc3334.txt- the network access point of network A. It states that for ../data/rfc/rfc3334.txt: comprehensive accounting, a detailed record type is required with a ../data/rfc/rfc3334.txt- report interval of 120 s. The resulting records have to be sent to ../data/rfc/rfc3334.txt- the given report target. The QoS measurement policy sets the ../data/rfc/rfc3334.txt- measurement method to passive measurement. It sets the size used for ../data/rfc/rfc3334.txt- timestamp representation to 48 bits. As meter locations, the meters ../data/rfc/rfc3334.txt- at the access points of network A and network B are used. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- After evaluating these policies, the instructions for the meter ../data/rfc/rfc3334.txt- configuration are passed down to the measurement infrastructure. In ../data/rfc/rfc3334.txt: our example, the accounting configuration instructs the meter at the ../data/rfc/rfc3334.txt- first measurement point (MP1) to add a new rule with the given flow ../data/rfc/rfc3334.txt- attributes and settings for storage and reporting of results. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 35] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Acct->MI: MP1: add rule dscp=23, src=a.a.a/24, dest=b.b.b.b/24 ../data/rfc/rfc3334.txt- save volume ../data/rfc/rfc3334.txt- set report interval = 120 s -- ../data/rfc/rfc3334.txt- | | | ../data/rfc/rfc3334.txt- -----|----------------------------------------|--------------|----- ../data/rfc/rfc3334.txt- | Service Equipment | | ../data/rfc/rfc3334.txt- V V V ../data/rfc/rfc3334.txt- +---------------+ .............. +-----------+ +-----------+ ../data/rfc/rfc3334.txt: | Accounting |<-->: Local :<-->| QoS | | Bandwidth | ../data/rfc/rfc3334.txt- | | : Policies : | Auditing | | Broker | ../data/rfc/rfc3334.txt- +---------------+ :............: +-----------+ +-----------+ ../data/rfc/rfc3334.txt- | | ../data/rfc/rfc3334.txt- | Meter Instructions | Measurement Setup ../data/rfc/rfc3334.txt- V V -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 36] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:9.4 User Accounting Indication Example ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: This example explains how discrete accounting can be used to provide ../data/rfc/rfc3334.txt: accounting indications for the user. Accounting indications are sent ../data/rfc/rfc3334.txt- to the user in order to inform the user about current resource ../data/rfc/rfc3334.txt: consumption. The accounting indication is a special accounting ../data/rfc/rfc3334.txt: service that can be provided in addition to the standard accounting ../data/rfc/rfc3334.txt- performed by the provider. Like for any other service, an ../data/rfc/rfc3334.txt: authorization should take place before the accounting indication ../data/rfc/rfc3334.txt: service provisioning. Therefore, the accounting here is seen as a ../data/rfc/rfc3334.txt: separate service. That means the accounting service is independent ../data/rfc/rfc3334.txt- of the main service and therefore can be applied to different ../data/rfc/rfc3334.txt- services. It might be used as an addition to an integrated ../data/rfc/rfc3334.txt: accounting that is part of the service. The authorization process ../data/rfc/rfc3334.txt: for the accounting service is out of the scope of this document and ../data/rfc/rfc3334.txt- therefore is not further explained here. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Figure 15 illustrates the configuration message sequence for setting ../data/rfc/rfc3334.txt: up the accounting service. First, the user sends an Accounting ../data/rfc/rfc3334.txt- Service Request (ASR) to the AAA server which includes desired ../data/rfc/rfc3334.txt: parameters for the provisioning of the accounting service (e.g. ../data/rfc/rfc3334.txt- report interval). ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: user->AAA: user-x@nw-a, service= accounting indications, ../data/rfc/rfc3334.txt- report interval= 60 s ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The AAA server passes the ASI to the ASM of the accounting service ../data/rfc/rfc3334.txt- after the user has been authenticated and authorized for the service ../data/rfc/rfc3334.txt- usage. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: AAA->ASM: user-x@nw-a, service=accounting indications, ../data/rfc/rfc3334.txt- report interval= 60 s ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 37] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The ASM generates an accounting policy based on the ASI and passes ../data/rfc/rfc3334.txt: this policy to the Accounting Configuration. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ASM->Acct: If src=a.a.a.x { ../data/rfc/rfc3334.txt- acc-indication = on ../data/rfc/rfc3334.txt- report interval = 60s ../data/rfc/rfc3334.txt- report target= a.a.a.x -- ../data/rfc/rfc3334.txt- +-------+ ../data/rfc/rfc3334.txt- | ASM | ../data/rfc/rfc3334.txt- +-------+ ../data/rfc/rfc3334.txt- | ../data/rfc/rfc3334.txt- -------------------------|--------------------------- ../data/rfc/rfc3334.txt: Service Equipment | Accounting Policy ../data/rfc/rfc3334.txt- V ../data/rfc/rfc3334.txt- +-----------------+ .............. ../data/rfc/rfc3334.txt: | Accounting |<---->: Local Acct : ../data/rfc/rfc3334.txt- | | : Policies : ../data/rfc/rfc3334.txt- +-----------------+ :............: ../data/rfc/rfc3334.txt- | ../data/rfc/rfc3334.txt- | Meter Instructions ../data/rfc/rfc3334.txt- V ../data/rfc/rfc3334.txt- +-----------------+ ../data/rfc/rfc3334.txt- | Measurement | ../data/rfc/rfc3334.txt- | Infrastructure | ../data/rfc/rfc3334.txt- +-----------------+ ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Figure 15: Accounting Indication Configuration ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: The Accounting Configuration generates meter instructions according ../data/rfc/rfc3334.txt: to the accounting policies from the ASM and local accounting policies ../data/rfc/rfc3334.txt- and passes them to the measurement infrastructure. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- local Acct-Policy: if acc-indication { ../data/rfc/rfc3334.txt- record type = compact ../data/rfc/rfc3334.txt- } -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 38] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-10. Security Considerations ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: Accounting services provide the basis for billing. Therefore, the ../data/rfc/rfc3334.txt- incentives (mainly saving money) and potential for fraud is extremely ../data/rfc/rfc3334.txt: high in the field of configuration of the accounting architecture and ../data/rfc/rfc3334.txt: the collection of accounting data. In the presented framework, two ../data/rfc/rfc3334.txt: types of data communications are required, the exchange of accounting ../data/rfc/rfc3334.txt: policies and the collection of accounting records. Both ../data/rfc/rfc3334.txt- communications introduce potential security hazards. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The following potential security hazards can be identified: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Forgery of accounting policies and accounting record information ../data/rfc/rfc3334.txt: Both accounting policies and accounting records can be the target of ../data/rfc/rfc3334.txt: forgery of information. Accounting policies contain configuration ../data/rfc/rfc3334.txt- information. Modifying this information can lead to a mal-configured ../data/rfc/rfc3334.txt: accounting and metering system which either allows data to traverse ../data/rfc/rfc3334.txt: the accounting system undetected (without being accounted for, e.g. ../data/rfc/rfc3334.txt- by changing the classification rules of a meter) or produces bogus ../data/rfc/rfc3334.txt: accounting records. Accounting records contain data about resource ../data/rfc/rfc3334.txt: consumption and provide the basis for billing. Modifying accounting ../data/rfc/rfc3334.txt- records may lead to erroneous bills. Furthermore, it is important ../data/rfc/rfc3334.txt: that policies or accounting records are not redirected or removed and ../data/rfc/rfc3334.txt- that forged policies or records are not inserted. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Eavesdropping ../data/rfc/rfc3334.txt: It may be required to keep accounting policies and accounting records ../data/rfc/rfc3334.txt- confidential between the involved parties. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Denial of Service (DoS) attacks ../data/rfc/rfc3334.txt: Both the AAA server and the accounting/metering subsystem can be the ../data/rfc/rfc3334.txt- target of denial of service attacks. A denial of service attack ../data/rfc/rfc3334.txt- against the AAA server may lead to malfunction and even breakdown of ../data/rfc/rfc3334.txt- the server. This means the server will not be able to provide proper ../data/rfc/rfc3334.txt: authentication, authorization and accounting functionality. The ../data/rfc/rfc3334.txt- service provided by the AAA server will become unavailable or ../data/rfc/rfc3334.txt- unusable. An attack to the server can be worse than an attack to the ../data/rfc/rfc3334.txt- service equipment itself, especially if multiple services use one AAA ../data/rfc/rfc3334.txt: server. An attack against the accounting/metering system will cause ../data/rfc/rfc3334.txt: loss of metering data and/or loss of accounting records. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- This leads to the following security requirements: ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Secrecy of accounting policies and accounting data ../data/rfc/rfc3334.txt: Unauthorized entities should not be able to read or modify accounting ../data/rfc/rfc3334.txt: policies or accounting records. This can be achieved with standard ../data/rfc/rfc3334.txt- encryption methods. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 39] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Authentication of accounting data and accounting policy sources ../data/rfc/rfc3334.txt- It should be ensured that the data is originated by the original ../data/rfc/rfc3334.txt- source. Source-authentication can be achieved by using digital ../data/rfc/rfc3334.txt- signatures. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Protection of the integrity of accounting policies and records ../data/rfc/rfc3334.txt- It should be ensured that the data was not modified on the way from ../data/rfc/rfc3334.txt- sender to receiver. Data-authentication can also be achieved with ../data/rfc/rfc3334.txt- digital signatures. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: - Verify correctness of generated accounting data ../data/rfc/rfc3334.txt: It must be ensured that the accounting data generated by the service ../data/rfc/rfc3334.txt: provider is correct. A provider may generate incorrect accounting ../data/rfc/rfc3334.txt- records either deliberately (i.e. forging) or unintentionally (e.g. ../data/rfc/rfc3334.txt: faulty configuration). These incorrect accounting records probably ../data/rfc/rfc3334.txt- have the consequence of incorrect bills. Customers can verify the ../data/rfc/rfc3334.txt: correctness of the accounting data through their measurements and/or ../data/rfc/rfc3334.txt- through data collected by a trusted third party. A trusted third ../data/rfc/rfc3334.txt: party can be an independent accounting service provider as described ../data/rfc/rfc3334.txt- in section 7.2 or a more general entity providing an auditing ../data/rfc/rfc3334.txt- service. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- - Prevention and protection against Denial of Service attacks ../data/rfc/rfc3334.txt- The AAA protocol and all building blocks should be designed and -- ../data/rfc/rfc3334.txt- add a component to the meter system that is able to detect suspicious ../data/rfc/rfc3334.txt- traffic patterns. Upon detection, further actions can be taken ../data/rfc/rfc3334.txt- according to a pre-defined policy. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- The prevention of these hazards has to be considered for the ../data/rfc/rfc3334.txt: protocols used for accounting policy exchange and the transportation ../data/rfc/rfc3334.txt: of accounting records. Since the security requirements for ../data/rfc/rfc3334.txt- authentication, transmission level security, data object ../data/rfc/rfc3334.txt- confidentiality and integrity are addressed in the criteria for AAA ../data/rfc/rfc3334.txt- protocol evaluation [RFC2989], we assume that the future AAA ../data/rfc/rfc3334.txt: protocol(s) will be suited for secure accounting record transfer and ../data/rfc/rfc3334.txt: probably also for secure accounting policy transport. Furthermore, ../data/rfc/rfc3334.txt- we assume that existing or upcoming solutions for secure ../data/rfc/rfc3334.txt- transportation and enforcement of policies can be used. Real ../data/rfc/rfc3334.txt- prevention of DoS attacks is quite difficult. A selective dropping ../data/rfc/rfc3334.txt- of the attackers packets is impossible if the malicious packets ../data/rfc/rfc3334.txt- cannot be separated from the valid customer traffic. Dropping of all -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 40] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-11. References ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- [I2-BB] Internet2-QBone Bandwidth Broker, -- ../data/rfc/rfc3334.txt- [RFC2905] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., ../data/rfc/rfc3334.txt- Gross, G., de Bruijn, B., de Laat, C., Holdrege, M. and ../data/rfc/rfc3334.txt- D. Spence, "AAA Authorization Application Examples", RFC ../data/rfc/rfc3334.txt- 2905, August 2000. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt: [RFC2924] Brownlee, N. and A. Blount, "Accounting Attributes and ../data/rfc/rfc3334.txt- Record Formats", RFC 2924, September 2000. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- [RFC2975] Aboba, B., Arkko, J. and D. Harrington, "Introduction to ../data/rfc/rfc3334.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 41] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- [RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, ../data/rfc/rfc3334.txt- P., Shiino, H., Walsh, P., Zorn, G., Dommety, G., ../data/rfc/rfc3334.txt- Perkins, C., Patil, B., Mitton, D., Manning, S., -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 42] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Author's Addresses ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Tanja Zseby -- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Zseby, et. al. Experimental [Page 43] ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt:RFC 3334 Policy-Based Accounting October 2002 ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt-Full Copyright Statement ../data/rfc/rfc3334.txt- ../data/rfc/rfc3334.txt- Copyright (C) The Internet Society (2002). All Rights Reserved. -- ../data/rfc/rfc3300.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc3300.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc3300.txt-ATM-TC-OID Definitions of Textual Conventions and 2514 ../data/rfc/rfc3300.txt- OBJECT-IDENTITIES for ATM Management ../data/rfc/rfc3300.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc3300.txt: and Storage of Accounting Information for ../data/rfc/rfc3300.txt- Connection-Oriented Networks ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt-IETF Standards Track [Page 23] ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt-RFC 3300 Internet Standards November 2002 ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc3300.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc3300.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc3300.txt- Management Protocols ../data/rfc/rfc3300.txt-IPCOM-PPP IP Header Compression over PPP 2509 ../data/rfc/rfc3300.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 -- ../data/rfc/rfc3300.txt-3.7. Experimental Protocols ../data/rfc/rfc3300.txt- ../data/rfc/rfc3300.txt-Mnemonic Title RFC# ../data/rfc/rfc3300.txt------------------------------------------------------------------------- ../data/rfc/rfc3300.txt--------- Dual Stack Hosts Using "Bump-in-the-API" (BIA) 3338* ../data/rfc/rfc3300.txt:-------- Policy-Based Accounting 3334* ../data/rfc/rfc3300.txt--------- PGM Reliable Transport Protocol Specification 3208* ../data/rfc/rfc3300.txt--------- Domain Security Services using S/MIME 3183 ../data/rfc/rfc3300.txt-SMX Script MIB Extensibility Protocol Version 1.1 3179 ../data/rfc/rfc3300.txt--------- ISO/IEC 9798-3 Authentication SASL Mechanism 3163 ../data/rfc/rfc3300.txt--------- Electronic Signature Policies 3125 -- ../data/rfc/rfc4282.txt- The use of unassigned code points is prohibited. ../data/rfc/rfc4282.txt- ../data/rfc/rfc4282.txt- The mapping, normalization, and bidirectional character processing ../data/rfc/rfc4282.txt- MUST be performed by end systems that take international text as ../data/rfc/rfc4282.txt- input. In a network access setting, such systems are typically the ../data/rfc/rfc4282.txt: client and the Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4282.txt- server. NAIs are sent over the wire in their canonical form, and ../data/rfc/rfc4282.txt- tasks such as normalization do not typically need to be performed by ../data/rfc/rfc4282.txt- nodes that just pass NAIs around or receive them from the network. ../data/rfc/rfc4282.txt- End systems MUST also perform checking for prohibited output and ../data/rfc/rfc4282.txt- unassigned code points. Other systems MAY perform such checks, when -- ../data/rfc/rfc4282.txt- ../data/rfc/rfc4282.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4282.txt- "Remote Authentication Dial In User Service ../data/rfc/rfc4282.txt- (RADIUS)", RFC 2865, June 2000. ../data/rfc/rfc4282.txt- ../data/rfc/rfc4282.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June ../data/rfc/rfc4282.txt- 2000. ../data/rfc/rfc4282.txt- ../data/rfc/rfc4282.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote ../data/rfc/rfc4282.txt- Authentication Dial In User Service) Support For ../data/rfc/rfc4282.txt- Extensible Authentication Protocol (EAP)", RFC 3579, -- ../data/rfc/rfc4562.txt- different premises (i.e., accessed via different subscriber lines or ../data/rfc/rfc4562.txt- via different access networks) be forwarded via an AR, and not ../data/rfc/rfc4562.txt- bridged or switched at layer-2 (Requirement 1; see also requirement ../data/rfc/rfc4562.txt- R-40 in [TR101]). This enables the access network service provider ../data/rfc/rfc4562.txt- to use the AR(s) to perform security filtering, policing, and ../data/rfc/rfc4562.txt: accounting of all customer traffic. This implies that within the ../data/rfc/rfc4562.txt- access network, layer-2 traffic paths should not exist that ../data/rfc/rfc4562.txt- circumvent an AR (with some exceptions; see Section 3.4). ../data/rfc/rfc4562.txt- ../data/rfc/rfc4562.txt- In ATM-based access networks, the separation of individual customer ../data/rfc/rfc4562.txt- hosts' traffic is an intrinsic feature achieved by the use of ATM -- ../data/rfc/rfc4562.txt- ../data/rfc/rfc4562.txt- Access Router (AR) ../data/rfc/rfc4562.txt- The entity interconnecting the access network to the Internet or ../data/rfc/rfc4562.txt- other IP-based networks. The AR provides connectivity between ../data/rfc/rfc4562.txt- hosts on the access network at different customer premises. It is ../data/rfc/rfc4562.txt: also used to provide security filtering, policing, and accounting ../data/rfc/rfc4562.txt- of customer traffic. ../data/rfc/rfc4562.txt- ../data/rfc/rfc4562.txt- Application Server (AS) ../data/rfc/rfc4562.txt- A server, usually owned by a service provider, that attaches ../data/rfc/rfc4562.txt- directly to the aggregation network and is directly reachable at -- ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt-Abstract ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt- This document defines Attribute-Value Pair (AVP) containers for ../data/rfc/rfc6735.txt- various priority parameters for use with Diameter and the ../data/rfc/rfc6735.txt: Authentication, Authorization, and Accounting (AAA) framework. The ../data/rfc/rfc6735.txt- parameters themselves are defined in several different protocols that ../data/rfc/rfc6735.txt- operate at either the network or application layer. ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt-Status of This Memo -- ../data/rfc/rfc6735.txt- +------------------------------------------------------------------+ ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt-5.2. QoS Profile ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt- IANA has allocated a new value from the "QoS Profiles" subregistry of ../data/rfc/rfc6735.txt: the "Authentication, Authorization, and Accounting (AAA) Parameters" ../data/rfc/rfc6735.txt- defined in [RFC5624] for the QoS profile defined in this document. ../data/rfc/rfc6735.txt- The name of the profile is "Resource priority parameters" (1). ../data/rfc/rfc6735.txt- ../data/rfc/rfc6735.txt-6. Security Considerations ../data/rfc/rfc6735.txt- -- ../data/rfc/rfc892.txt-following set of functions which have been identified as potential ../data/rfc/rfc892.txt-transport layer functions: ../data/rfc/rfc892.txt- ../data/rfc/rfc892.txt- o provision for encryption ../data/rfc/rfc892.txt- ../data/rfc/rfc892.txt: o provision for accounting mechanisms ../data/rfc/rfc892.txt- ../data/rfc/rfc892.txt- o provision for status exchanges and monitoring of quality ../data/rfc/rfc892.txt- of service ../data/rfc/rfc892.txt- ../data/rfc/rfc892.txt- o provision for blocking -- ../data/rfc/rfc8300.txt- realize a service path. Furthermore, the NSH provides the ../data/rfc/rfc8300.txt- ability to monitor and troubleshoot a service chain, end-to-end ../data/rfc/rfc8300.txt- via service-specific Operations, Administration, and Maintenance ../data/rfc/rfc8300.txt- (OAM) messages. The NSH fields can be used by administrators ../data/rfc/rfc8300.txt- (for example, via a traffic analyzer) to verify the path ../data/rfc/rfc8300.txt: specifics (e.g., accounting, ensuring correct chaining, providing ../data/rfc/rfc8300.txt- reports, etc.) of packets being forwarded along a service path. ../data/rfc/rfc8300.txt- ../data/rfc/rfc8300.txt- 3. The NSH provides a mechanism to carry shared metadata between ../data/rfc/rfc8300.txt- participating entities and Service Functions. The semantics of ../data/rfc/rfc8300.txt- the shared metadata are communicated via a control plane (which -- ../data/rfc/rfc525.txt- 5) USER disconnect from MATHLAB. ../data/rfc/rfc525.txt- ../data/rfc/rfc525.txt- 6) User connects to and logs into OLS, and loads a file containing ../data/rfc/rfc525.txt- the user programs which produce a virtual job deck for the ../data/rfc/rfc525.txt- batch system. A sequence of questions are given to the user by ../data/rfc/rfc525.txt: these programs regarding accounting information, and the source ../data/rfc/rfc525.txt- file at MIT, and the destination file at at UCSB. The batch ../data/rfc/rfc525.txt- job gets submitted automatically, and the transfer and ../data/rfc/rfc525.txt- translation is done. ../data/rfc/rfc525.txt- ../data/rfc/rfc525.txt- 7) After the transfer is completed, the destination file may be -- ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt-3.2. Discovery ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt- As discussed in Section 2.1, a client MAY send a Status-Server ../data/rfc/rfc7930.txt: message to discover whether an authentication or accounting server ../data/rfc/rfc7930.txt- supports this specification. The client includes a Response-Length ../data/rfc/rfc7930.txt- attribute; this signals the server to include a Response-Length ../data/rfc/rfc7930.txt- attribute indicating the maximum packet size the server can process. ../data/rfc/rfc7930.txt- In this one instance, Response-Length indicates the size of a request ../data/rfc/rfc7930.txt- that can be processed rather than a response. ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt-4. Protocol-Error Code ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt- This document defines a new RADIUS code, 52, called Protocol-Error. ../data/rfc/rfc7930.txt- This packet code may be used in response to any request packet, such ../data/rfc/rfc7930.txt: as Access-Request, Accounting-Request, CoA-Request, or Disconnect- ../data/rfc/rfc7930.txt- Request. It is a response packet sent by a server to a client. The ../data/rfc/rfc7930.txt- packet indicates to the client that the server is unable to process ../data/rfc/rfc7930.txt- the request for some reason. ../data/rfc/rfc7930.txt- ../data/rfc/rfc7930.txt- A Protocol-Error packet MUST contain an Original-Packet-Code -- ../data/rfc/rfc4857.txt- 13. IANA Considerations ...........................................30 ../data/rfc/rfc4857.txt- 14. Acknowledgements ..............................................31 ../data/rfc/rfc4857.txt- 15. References ....................................................32 ../data/rfc/rfc4857.txt- 15.1. Normative References .....................................32 ../data/rfc/rfc4857.txt- 15.2. Informative References ...................................32 ../data/rfc/rfc4857.txt: Appendix A. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4857.txt- Interactions ..........................................33 ../data/rfc/rfc4857.txt- Appendix B. Anchoring at a GFA ....................................33 ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- -- ../data/rfc/rfc4857.txt- January 2007. ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt-15.2. Informative References ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- [RFC3957] Perkins, C. and P. Calhoun, "Authentication, ../data/rfc/rfc4857.txt: Authorization, and Accounting (AAA) Registration Keys for ../data/rfc/rfc4857.txt- Mobile IPv4", RFC 3957, March 2005. ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- [RFC4004] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and ../data/rfc/rfc4857.txt- P. McCann, "Diameter Mobile IPv4 Application", RFC 4004, ../data/rfc/rfc4857.txt- August 2005. -- ../data/rfc/rfc4857.txt-Fogelstroem, et al. Experimental [Page 32] ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt-RFC 4857 Mobile IPv4 Regional Registration June 2007 ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt:Appendix A. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4857.txt- Interactions ../data/rfc/rfc4857.txt- ../data/rfc/rfc4857.txt- When the mobile node has to obtain authorization by way of ../data/rfc/rfc4857.txt: Authentication, Authorization, and Accounting (AAA) infrastructure ../data/rfc/rfc4857.txt- services, the control flow implicit in the main body of this ../data/rfc/rfc4857.txt- specification is likely to be modified. Typically, the mobile node ../data/rfc/rfc4857.txt- will supply credentials for authorization by AAA as part of its ../data/rfc/rfc4857.txt- registration messages. The GFA will parse the credentials supplied ../data/rfc/rfc4857.txt- by the mobile and forward the appropriate authorization request to a -- ../data/rfc/rfc5655.txt- 1. a Version field of 10; ../data/rfc/rfc5655.txt- ../data/rfc/rfc5655.txt- 2. a Length field with the number of octets in the IPFIX ../data/rfc/rfc5655.txt- Message, generally available by subtracting 4 from the length ../data/rfc/rfc5655.txt- of the NetFlow V9 packet as returned from the transport layer ../data/rfc/rfc5655.txt: (accounting for the difference in message header lengths); ../data/rfc/rfc5655.txt- ../data/rfc/rfc5655.txt- ../data/rfc/rfc5655.txt- ../data/rfc/rfc5655.txt- ../data/rfc/rfc5655.txt-Trammell, et al. Standards Track [Page 60] -- ../data/rfc/rfc1486.txt- 2.4 Remote Printing without MIME ......................... 6 ../data/rfc/rfc1486.txt- 3. The Experiment ........................................ 7 ../data/rfc/rfc1486.txt- 3.1 Infrastructure ....................................... 8 ../data/rfc/rfc1486.txt- 3.1.1 Zones .............................................. 8 ../data/rfc/rfc1486.txt- 3.1.2 MX records ......................................... 8 ../data/rfc/rfc1486.txt: 3.2 Accounting and Privacy ............................... 9 ../data/rfc/rfc1486.txt- 3.3 Mailing list ......................................... 9 ../data/rfc/rfc1486.txt- 3.4 Prototype Implementation ............................. 10 ../data/rfc/rfc1486.txt- 4. Future Issues ......................................... 11 ../data/rfc/rfc1486.txt- 5. Security Considerations ............................... 11 ../data/rfc/rfc1486.txt- 6. Acknowledgements ...................................... 11 -- ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- *.6.9.5.1.4.1.tpc.int. IN MX 10 dbc.mtview.ca.us. ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- could be used. ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt:3.2. Accounting and Privacy ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt: There is no accounting nor settlement in the experiment; however, ../data/rfc/rfc1486.txt- participating sites may implement access control to prevent abuse. ../data/rfc/rfc1486.txt- Records may be kept for auditing purposes; however, the privacy of a ../data/rfc/rfc1486.txt- participant's printing should be honored. As such, any auditing ../data/rfc/rfc1486.txt- should contain at most this information: ../data/rfc/rfc1486.txt- -- ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- o determining which content-types and character sets are ../data/rfc/rfc1486.txt- supported by a remote printer server; ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- o introduction of authentication, integrity, privacy, ../data/rfc/rfc1486.txt: authorization, and accounting services; ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- o preferential selection of a remote printer server; and, ../data/rfc/rfc1486.txt- ../data/rfc/rfc1486.txt- o aggregation of multiple print recipients in a single ../data/rfc/rfc1486.txt- message. -- ../data/rfc/rfc7679.txt- more detail elsewhere; we encourage others to do so as well.} ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt-3.7. Errors and Uncertainties ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt- The description of any specific measurement method should include an ../data/rfc/rfc7679.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc7679.txt- The Framework document provides general guidance on this point, but ../data/rfc/rfc7679.txt- we note here the following specifics related to delay metrics: ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt- o Errors or uncertainties due to uncertainties in the clocks of the ../data/rfc/rfc7679.txt- Src and Dst hosts. -- ../data/rfc/rfc7679.txt- o Errors or uncertainties due to the difference between 'wire time' ../data/rfc/rfc7679.txt- and 'host time'. ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt- In addition, the loss threshold may affect the results. Each of ../data/rfc/rfc7679.txt- these are discussed in more detail below, along with a section ../data/rfc/rfc7679.txt: (Section 3.7.3) on accounting for these errors and uncertainties. ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt-3.7.1. Errors or Uncertainties Related to Clocks ../data/rfc/rfc7679.txt- ../data/rfc/rfc7679.txt- The uncertainty in a measurement of one-way delay is related, in ../data/rfc/rfc7679.txt- part, to uncertainties in the clocks of the Src and Dst hosts. In -- ../data/rfc/rfc5777.txt-10. IANA Considerations ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt-10.1. AVP Codes ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- IANA has allocated codes from the "AVP Codes" registry under ../data/rfc/rfc5777.txt: Authentication, Authorization, and Accounting (AAA) Parameters for ../data/rfc/rfc5777.txt- the following AVPs that are defined in this document. ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- +-------------------------------------------------------------------+ ../data/rfc/rfc5777.txt- | AVP Section | ../data/rfc/rfc5777.txt- | Attribute Name Code Defined Data Type | -- ../data/rfc/rfc5777.txt- +-------------------------------------------------------------------+ ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt-10.2. QoS-Semantics IANA Registry ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- IANA has allocated a new registry under Authentication, ../data/rfc/rfc5777.txt: Authorization, and Accounting (AAA) Parameters for the QoS-Semantics ../data/rfc/rfc5777.txt- AVP. The following values are allocated by this specification: ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- (0): QoS-Desired ../data/rfc/rfc5777.txt- (1): QoS-Available ../data/rfc/rfc5777.txt- (2): QoS-Delivered -- ../data/rfc/rfc5777.txt- policy [RFC5226]. ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt-10.3. Action ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- IANA has allocated a new registry under Authentication, ../data/rfc/rfc5777.txt: Authorization, and Accounting (AAA) Parameters for the Treatment- ../data/rfc/rfc5777.txt- Action AVP. The following values are allocated by this ../data/rfc/rfc5777.txt- specification: ../data/rfc/rfc5777.txt- ../data/rfc/rfc5777.txt- 0: drop ../data/rfc/rfc5777.txt- 1: shape -- ../data/rfc/rfc2063.txt- for measuring and understanding the network's traffic flows. This ../data/rfc/rfc2063.txt- information is useful for many purposes, as mentioned in section 1 ../data/rfc/rfc2063.txt- (above). ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt- The following sections outline a model for traffic flow measurement, ../data/rfc/rfc2063.txt: which draws from working drafts of the OSI accounting model [2]. ../data/rfc/rfc2063.txt- Future extensions are anticipated as the model is refined to address ../data/rfc/rfc2063.txt- additional protocol layers. ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt-2.1 Meters and Traffic Flows ../data/rfc/rfc2063.txt- -- ../data/rfc/rfc2063.txt- Last Collect Time TimeTicks ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt-8 Acknowledgments ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt- This document was initially produced under the auspices of the IETF's ../data/rfc/rfc2063.txt: Internet Accounting Working Group with assistance from SNMP, RMON and ../data/rfc/rfc2063.txt- SAAG working groups. This version documents the implementation work ../data/rfc/rfc2063.txt: done by the Internet Accounting Working Group, and is intended to ../data/rfc/rfc2063.txt- provide a starting point for the Realtime Traffic Flow Measurement ../data/rfc/rfc2063.txt- Working Group. Particular thanks are due to Stephen Stibler (IBM ../data/rfc/rfc2063.txt- Research) for his patient and careful comments during the preparation ../data/rfc/rfc2063.txt- of this memo. ../data/rfc/rfc2063.txt- -- ../data/rfc/rfc2063.txt-RFC 2063 Traffic Flow Measurement: Architecture January 1997 ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt-9 References ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt: [1] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2063.txt- Background", RFC 1272, Bolt Beranek and Newman Inc., Meridian ../data/rfc/rfc2063.txt- Technology Corporation, November 1991. ../data/rfc/rfc2063.txt- ../data/rfc/rfc2063.txt- [2] International Standards Organisation (ISO), "Management ../data/rfc/rfc2063.txt- Framework," Part 4 of Information Processing Systems Open -- ../data/rfc/rfc7046.txt- ../data/rfc/rfc7046.txt- sec-credentials: used to implement security mechanisms (e.g., to ../data/rfc/rfc7046.txt- authorize Multicast Group access or authenticate multicast ../data/rfc/rfc7046.txt- operations). This parameter is optional. "alg" represents the ../data/rfc/rfc7046.txt- security algorithm in use. "val" represents the actual value for ../data/rfc/rfc7046.txt: Authentication, Authorization, and Accounting (AAA). Note that ../data/rfc/rfc7046.txt- security credentials may carry a distinct technical meaning w.r.t. ../data/rfc/rfc7046.txt- AAA schemes and may differ between group members. Hence, the ../data/rfc/rfc7046.txt- sec-credentials are not considered part of the Group Name. ../data/rfc/rfc7046.txt- ../data/rfc/rfc7046.txt- -- ../data/rfc/rfc7652.txt-6.6. MTU Considerations ../data/rfc/rfc7652.txt- ../data/rfc/rfc7652.txt- EAP methods are responsible for MTU handling, so no special ../data/rfc/rfc7652.txt- facilities are required in PCP to deal with MTU issues. ../data/rfc/rfc7652.txt- Specifically, EAP lower layers indicate to EAP methods and ../data/rfc/rfc7652.txt: Authentication, Authorization, and Accounting (AAA) servers the MTU ../data/rfc/rfc7652.txt- of the lower layer. EAP methods such as EAP-TLS [RFC5216], TEAP ../data/rfc/rfc7652.txt- [RFC7170], and others that are likely to exceed reasonable MTUs ../data/rfc/rfc7652.txt- provide support for fragmentation and reassembly. Others, such as ../data/rfc/rfc7652.txt- EAP - Generalized Pre-Shared Key (EAP-GPSK) [RFC5433], assume that ../data/rfc/rfc7652.txt- they will never send packets larger than the MTU and use small EAP -- ../data/rfc/rfc5069.txt- to gain faster service by blocking others' competing calls for ../data/rfc/rfc5069.txt- help. ../data/rfc/rfc5069.txt- ../data/rfc/rfc5069.txt- o to gain fraudulent use of services, by using an emergency ../data/rfc/rfc5069.txt- identifier to bypass normal authentication, authorization, and ../data/rfc/rfc5069.txt: accounting procedures. ../data/rfc/rfc5069.txt- ../data/rfc/rfc5069.txt- o to divert emergency calls to non-emergency sites. This is a form ../data/rfc/rfc5069.txt- of a denial-of-service attack similar to the first item, but quite ../data/rfc/rfc5069.txt- likely more confusing for the caller himself or herself since the ../data/rfc/rfc5069.txt- caller expects to talk to a PSAP operator but instead gets -- ../data/rfc/rfc1681.txt-Bellovin [Page 2] ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt-RFC 1681 On Many Addresses per Host August 1994 ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt:Accounting and Billing ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt- For better or worse, some parts of the Internet are moving towards ../data/rfc/rfc1681.txt- usage-sensitive charging. At least four charging schemes seem ../data/rfc/rfc1681.txt- possible; doubtless, the marketeers in charge of such things can and ../data/rfc/rfc1681.txt- will come up with more. -- ../data/rfc/rfc1681.txt- It may be useful to assign each user on a host a separate IP address, ../data/rfc/rfc1681.txt- for the duration of the login session. This has a number of ../data/rfc/rfc1681.txt- advantages. ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt- The first ties in with the charging scheme given above. Usage- ../data/rfc/rfc1681.txt: sensitive accounting today is done by routers, and they have no ../data/rfc/rfc1681.txt- notion of who is using the hosts. If each user had a separate IP ../data/rfc/rfc1681.txt: address, we could continue to gather the accounting data at the ../data/rfc/rfc1681.txt- router. The host would simply have to record the address ../data/rfc/rfc1681.txt- assignments; billing could be done offline. ../data/rfc/rfc1681.txt- ../data/rfc/rfc1681.txt- Similarly, different classes of users could have different forms of ../data/rfc/rfc1681.txt- addresses. Those with hard-money accounts might have some bits set -- ../data/rfc/rfc5423.txt- 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc5423.txt- 3. Event Model . . . . . . . . . . . . . . . . . . . . . . . . . 4 ../data/rfc/rfc5423.txt- 4. Event Types . . . . . . . . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc5423.txt- 4.1. Message Addition and Deletion . . . . . . . . . . . . . . 5 ../data/rfc/rfc5423.txt- 4.2. Message Flags . . . . . . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc5423.txt: 4.3. Access Accounting . . . . . . . . . . . . . . . . . . . . 8 ../data/rfc/rfc5423.txt- 4.4. Mailbox Management . . . . . . . . . . . . . . . . . . . . 8 ../data/rfc/rfc5423.txt- 5. Event Parameters . . . . . . . . . . . . . . . . . . . . . . . 10 ../data/rfc/rfc5423.txt- 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc5423.txt- 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 ../data/rfc/rfc5423.txt- 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 -- ../data/rfc/rfc5423.txt-Gellens & Newman Standards Track [Page 7] ../data/rfc/rfc5423.txt- ../data/rfc/rfc5423.txt-RFC 5423 Internet Message Store Events March 2009 ../data/rfc/rfc5423.txt- ../data/rfc/rfc5423.txt- ../data/rfc/rfc5423.txt:4.3. Access Accounting ../data/rfc/rfc5423.txt- ../data/rfc/rfc5423.txt: This section lists events related to message store access accounting. ../data/rfc/rfc5423.txt- ../data/rfc/rfc5423.txt- Login ../data/rfc/rfc5423.txt- A user has logged into the system via IMAP, HTTP, POP, or some ../data/rfc/rfc5423.txt- other mechanism. ../data/rfc/rfc5423.txt- -- ../data/rfc/rfc6736.txt- of Network Address Translators and Network Address and Port ../data/rfc/rfc6736.txt- Translators, which are added to networks to cope with IPv4 address ../data/rfc/rfc6736.txt- space depletion. This Diameter application allows external devices ../data/rfc/rfc6736.txt- to configure and manage a Network Address Translator device -- ../data/rfc/rfc6736.txt- expanding the existing Diameter-based Authentication, Authorization, ../data/rfc/rfc6736.txt: and Accounting (AAA) and policy control capabilities with a Network ../data/rfc/rfc6736.txt- Address Translator and Network Address and Port Translator control ../data/rfc/rfc6736.txt- component. These external devices can be network elements in the ../data/rfc/rfc6736.txt- data plane such as a Network Access Server, or can be more ../data/rfc/rfc6736.txt- centralized control plane devices such as AAA-servers. This Diameter ../data/rfc/rfc6736.txt- application establishes a context to commonly identify and manage -- ../data/rfc/rfc6736.txt- Network Address and Port Translator device. This includes, for ../data/rfc/rfc6736.txt- example, the control of the total number of Network Address ../data/rfc/rfc6736.txt- Translator bindings allowed or the allocation of a specific Network ../data/rfc/rfc6736.txt- Address Translator binding for a particular endpoint. In addition, ../data/rfc/rfc6736.txt- it allows Network Address Translator devices to provide information ../data/rfc/rfc6736.txt: relevant to accounting purposes. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-Status of This Memo ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- This is an Internet Standards Track document. ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- 4.4. Session Termination .......................................20 ../data/rfc/rfc6736.txt- 4.5. Session Abort .............................................21 ../data/rfc/rfc6736.txt- 4.6. Failure Cases of the DNCA Diameter Peers ..................22 ../data/rfc/rfc6736.txt- 5. Use of the Diameter Base Protocol ..............................23 ../data/rfc/rfc6736.txt- 5.1. Securing Diameter Messages ................................23 ../data/rfc/rfc6736.txt: 5.2. Accounting Functionality ..................................24 ../data/rfc/rfc6736.txt- 5.3. Use of Sessions ...........................................24 ../data/rfc/rfc6736.txt- 5.4. Routing Considerations ....................................24 ../data/rfc/rfc6736.txt- 5.5. Advertising Application Support ...........................24 ../data/rfc/rfc6736.txt- 6. DNCA Commands ..................................................25 ../data/rfc/rfc6736.txt- 6.1. NAT-Control-Request (NCR) Command .........................25 -- ../data/rfc/rfc6736.txt- 8.7.6. NAT-External-Address AVP ...........................38 ../data/rfc/rfc6736.txt- 8.7.7. Max-NAT-Bindings ...................................39 ../data/rfc/rfc6736.txt- 8.7.8. NAT-Control-Binding-Template AVP ...................39 ../data/rfc/rfc6736.txt- 8.7.9. Duplicate-Session-Id AVP ...........................39 ../data/rfc/rfc6736.txt- 8.7.10. NAT-External-Port-Style AVP .......................39 ../data/rfc/rfc6736.txt: 9. Accounting Commands ............................................40 ../data/rfc/rfc6736.txt: 9.1. NAT Control Accounting Messages ...........................40 ../data/rfc/rfc6736.txt: 9.2. NAT Control Accounting AVPs ...............................40 ../data/rfc/rfc6736.txt- 9.2.1. NAT-Control-Record .................................41 ../data/rfc/rfc6736.txt- 9.2.2. NAT-Control-Binding-Status .........................41 ../data/rfc/rfc6736.txt- 9.2.3. Current-NAT-Bindings ...............................41 ../data/rfc/rfc6736.txt- 10. AVP Occurrence Tables .........................................41 ../data/rfc/rfc6736.txt- 10.1. DNCA AVP Table for NAT Control Initial and Update ../data/rfc/rfc6736.txt- Requests .................................................42 ../data/rfc/rfc6736.txt- 10.2. DNCA AVP Table for Session Query Requests ................43 ../data/rfc/rfc6736.txt: 10.3. DNCA AVP Table for Accounting Messages ...................43 ../data/rfc/rfc6736.txt- 11. IANA Considerations ...........................................44 ../data/rfc/rfc6736.txt- 11.1. Application Identifier ...................................44 ../data/rfc/rfc6736.txt- 11.2. Command Codes ............................................44 ../data/rfc/rfc6736.txt- 11.3. AVP Codes ................................................44 ../data/rfc/rfc6736.txt- 11.4. Result-Code AVP Values ...................................44 -- ../data/rfc/rfc6736.txt- application allowing providers to control the behavior of NAT and ../data/rfc/rfc6736.txt- NAPT devices that implement IPv4-to-IPv4 network address and port ../data/rfc/rfc6736.txt- translation [RFC2663] as well as stateful IPv6-to-IPv4 address family ../data/rfc/rfc6736.txt- translation as defined in [RFC2663], [RFC6145], and [RFC6146]. The ../data/rfc/rfc6736.txt- use of a Diameter application allows for simple integration into the ../data/rfc/rfc6736.txt: existing Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6736.txt- environment of a provider. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The Diameter Network address and port translation Control Application ../data/rfc/rfc6736.txt- (DNCA) offers the following capabilities: ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- contains a description of the IP address pool(s) to be used, for ../data/rfc/rfc6736.txt- example, a list of IP-subnets. Such external address pools can ../data/rfc/rfc6736.txt- be used to select the external IP address in NAPT/NAT-bindings ../data/rfc/rfc6736.txt- for multiple subscribers. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: 4. Generates reports and accounting records: Reports established ../data/rfc/rfc6736.txt- bindings for a particular endpoint. The collected information is ../data/rfc/rfc6736.txt: used by accounting systems for statistical purposes. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- 5. Queries and retrieves details about bindings on demand: This ../data/rfc/rfc6736.txt: feature complements the previously mentioned accounting ../data/rfc/rfc6736.txt- functionality (see item 4). This feature can be used by an ../data/rfc/rfc6736.txt- entity to find NAT-bindings belonging to one or multiple ../data/rfc/rfc6736.txt- endpoints on the NAT device. The entity is not required to ../data/rfc/rfc6736.txt- create a DNCA control session to perform the query but would, ../data/rfc/rfc6736.txt- obviously, still need to create a Diameter session complying to -- ../data/rfc/rfc6736.txt- This document is structured as follows: Section 2 lists terminology, ../data/rfc/rfc6736.txt- while Section 3 provides an introduction to DNCA and its overall ../data/rfc/rfc6736.txt- deployment framework. Sections 3.2 to 8 cover DNCA specifics, with ../data/rfc/rfc6736.txt- Section 3.2 describing session management, Section 5 the use of the ../data/rfc/rfc6736.txt- Diameter base protocol, Section 6 new commands, Section 8 Attribute ../data/rfc/rfc6736.txt: Value Pairs (AVPs) used, and Section 9 accounting aspects. ../data/rfc/rfc6736.txt- Section 10 presents AVP occurrence tables. IANA and security ../data/rfc/rfc6736.txt- considerations are addressed in Sections 11 and 12, respectively. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-2. Conventions ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this ../data/rfc/rfc6736.txt- document are to be interpreted as described in [RFC2119]. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- Abbreviations and terminology used in this document: ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: AAA: Authentication, Authorization, Accounting ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- DNCA: Diameter Network address and port translation Control ../data/rfc/rfc6736.txt- Application ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- Endpoint: Managed entity of the DNCA. An endpoint represents a -- ../data/rfc/rfc6736.txt- resides within the NAT device, the other DNCA Diameter peer resides ../data/rfc/rfc6736.txt- within a NAT controller (discussed in Section 3.3). DNCA allows per- ../data/rfc/rfc6736.txt- endpoint control and management of NAT within the NAT device. Based ../data/rfc/rfc6736.txt- on Diameter, DNCA integrates well with the suite of Diameter ../data/rfc/rfc6736.txt- applications deployed for per-endpoint authentication, authorization, ../data/rfc/rfc6736.txt: accounting, and policy control in service provider networks. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- DNCA offers: ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- o Request and answer commands to control the allowed number of NAT- ../data/rfc/rfc6736.txt- bindings per endpoint, to request the allocation of specific -- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-RFC 6736 Diameter NAT Control Application October 2012 ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- o Unique identification of an endpoint on a NAT device, AAA-server, ../data/rfc/rfc6736.txt: and NAS to simplify correlation of accounting data streams. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- DNCA allows controlling the behavior of a NAT device on a per- ../data/rfc/rfc6736.txt- endpoint basis during initial session establishment and at later ../data/rfc/rfc6736.txt- stages by providing an update procedure for already established ../data/rfc/rfc6736.txt- sessions. Using DNCA, per-endpoint NAT-binding information can be ../data/rfc/rfc6736.txt: retrieved using either accounting mechanisms or an explicit session ../data/rfc/rfc6736.txt- query to the NAT. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-3.3. Deployment Scenarios for DNCA ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- DNCA can be deployed in different ways. DNCA supports deployments -- ../data/rfc/rfc6736.txt- Any deployment MUST ensure that, for any given endpoint, only a ../data/rfc/rfc6736.txt- single DNCA NAT controller and is active at any point in time. This ../data/rfc/rfc6736.txt- is to ensure that NAT devices controlled by multiple NAT controllers ../data/rfc/rfc6736.txt- do not receive conflicting control requests for a particular endpoint ../data/rfc/rfc6736.txt- or that they would not be unclear about to which NAT controller to ../data/rfc/rfc6736.txt: send accounting information. Operational considerations MAY require ../data/rfc/rfc6736.txt- an operator to use alternate control mechanisms or protocols such as ../data/rfc/rfc6736.txt- SNMP or manual configuration via a CLI to apply per-endpoint NAT- ../data/rfc/rfc6736.txt- specific configuration, for example, static NAT-bindings. For these ../data/rfc/rfc6736.txt- cases, the NAT device MUST allow the operator to configure a policy ../data/rfc/rfc6736.txt- on how configuration conflicts are resolved. Such a policy could -- ../data/rfc/rfc6736.txt- for environments where minimal changes to the existing AAA deployment ../data/rfc/rfc6736.txt- are desired. The NAS and the NAT device are Diameter peers ../data/rfc/rfc6736.txt- supporting the DNCA. The Diameter peer within the NAS, performing ../data/rfc/rfc6736.txt- the role of the NAT controller, initiates and manages sessions with ../data/rfc/rfc6736.txt- the NAT device, exchanges NAT-specific configuration information, and ../data/rfc/rfc6736.txt: handles reporting and accounting information. The NAS receives ../data/rfc/rfc6736.txt: reporting and accounting information from the NAT device. With this ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-Brockners, et al. Standards Track [Page 10] ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-RFC 6736 Diameter NAT Control Application October 2012 ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: information, the NAS can provide a single accounting record for the ../data/rfc/rfc6736.txt: endpoint. A system correlating the accounting information received ../data/rfc/rfc6736.txt- from the NAS and NAT device would not be needed. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- An example network attachment for an integrated NAT deployment can be ../data/rfc/rfc6736.txt- described as follows: an endpoint connects to the network, with the ../data/rfc/rfc6736.txt- NAS being the point of attachment. After successful authentication, -- ../data/rfc/rfc6736.txt- and sends relevant authorization and configuration information for ../data/rfc/rfc6736.txt- the particular endpoint to the NAT device. This can comprise NAT- ../data/rfc/rfc6736.txt- bindings, which have to be pre-established for the endpoint, or ../data/rfc/rfc6736.txt- management-related configuration, such as the maximum number of NAT- ../data/rfc/rfc6736.txt- bindings allowed for the endpoint. The NAT device sends its per- ../data/rfc/rfc6736.txt: endpoint accounting information to the NAS, which aggregates the ../data/rfc/rfc6736.txt: accounting information received from the NAT device with its local ../data/rfc/rfc6736.txt: accounting information for the endpoint into a single accounting ../data/rfc/rfc6736.txt- stream towards the AAA-server. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- +---------+ ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | AAA | -- ../data/rfc/rfc6736.txt- The autonomous deployment approach decouples endpoint management on ../data/rfc/rfc6736.txt- the NAS and NAT device. In the autonomous deployment approach, the ../data/rfc/rfc6736.txt- AAA-system and the NAT device are the Diameter peers running the ../data/rfc/rfc6736.txt- DNCA. The AAA-system also serves as NAT controller. It manages the ../data/rfc/rfc6736.txt- connection to the NAT device, controls the per-endpoint ../data/rfc/rfc6736.txt: configuration, and receives accounting and reporting information from ../data/rfc/rfc6736.txt- the NAT device. Different from the integrated deployment scenario, ../data/rfc/rfc6736.txt- the autonomous deployment scenario does not "hide" the existence of ../data/rfc/rfc6736.txt: the NAT device from the AAA infrastructure. Here, two accounting ../data/rfc/rfc6736.txt- streams are received by the AAA-server for one particular endpoint: ../data/rfc/rfc6736.txt- one from the NAS and one from the NAT device. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- +---------+ ../data/rfc/rfc6736.txt- | (C) | -- ../data/rfc/rfc6736.txt- always the control-requesting entity: it initiates, updates, or ../data/rfc/rfc6736.txt- terminates the sessions. Sessions are initiated when the NAT ../data/rfc/rfc6736.txt- controller learns about a new endpoint (i.e., host) that requires a ../data/rfc/rfc6736.txt- NAT service. This could be due to, for example, the entity hosting ../data/rfc/rfc6736.txt- the NAT controller receiving authentication, authorization, or ../data/rfc/rfc6736.txt: accounting requests for or from the endpoint. Alternate methods that ../data/rfc/rfc6736.txt- could trigger session setup include local configuration, receipt of a ../data/rfc/rfc6736.txt- packet from a formerly unknown IP address, etc. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-4.1. Session Establishment ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- the DNCA Diameter peer within the NAT controller. The DNCA Diameter ../data/rfc/rfc6736.txt- peer sends a Session-Termination-Request (STR) message to its peer ../data/rfc/rfc6736.txt- within the NAT device upon receiving a trigger signal. The source of ../data/rfc/rfc6736.txt- the trigger signal is outside the scope of this document. As part of ../data/rfc/rfc6736.txt- STR-message processing, the DNCA Diameter peer within the NAT device ../data/rfc/rfc6736.txt: MAY send an accounting stop record reporting all bindings. All the ../data/rfc/rfc6736.txt- NAT-bindings belonging to the session MUST be removed, and the ../data/rfc/rfc6736.txt- session state MUST be cleaned up. The DNCA Diameter peer within the ../data/rfc/rfc6736.txt- NAT device MUST notify its DNCA Diameter peer in the NAT controller ../data/rfc/rfc6736.txt- about successful session termination using a Session-Termination- ../data/rfc/rfc6736.txt- Answer (STA) message with Result-Code set to DIAMETER_SUCCESS. -- ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt: | Send accounting stop | ../data/rfc/rfc6736.txt- |<-------------------------------------------| ../data/rfc/rfc6736.txt- | reporting all session bindings | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | | ../data/rfc/rfc6736.txt- | Remove NAT-bindings -- ../data/rfc/rfc6736.txt- AVP to report the Session-Id of the existing session. The DNCA ../data/rfc/rfc6736.txt- Diameter peer within the NAT controller MAY send an explicit ../data/rfc/rfc6736.txt- Session-Termination-Request (STR) for the older session, which ../data/rfc/rfc6736.txt- was lost. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: * a DNCA Diameter peer MAY receive accounting records for a ../data/rfc/rfc6736.txt- session that does not exist. The DNCA Diameter peer sends an ../data/rfc/rfc6736.txt: accounting answer with the Result-Code set to ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-Brockners, et al. Standards Track [Page 22] ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- Result-Code set to DIAMETER_UNKNOWN_SESSION_ID, it MAY try to re- ../data/rfc/rfc6736.txt- establish DNCA session or disconnect corresponding access session. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- o The DNCA Diameter peer within the NAT controller is unreachable, ../data/rfc/rfc6736.txt- for example, it is detected by Diameter device watchdog messages ../data/rfc/rfc6736.txt: (as defined in Section 5.5 of [RFC6733]) or accounting requests ../data/rfc/rfc6736.txt- from the DNCA Diameter peer fail to get a response, NAT-bindings ../data/rfc/rfc6736.txt- and NAT device state pertaining to that session MUST be cleaned up ../data/rfc/rfc6736.txt- after a grace period that is configurable on the NAT device. The ../data/rfc/rfc6736.txt- grace period can be configured as zero or higher, depending on ../data/rfc/rfc6736.txt- operator preference. -- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- o The content of the NCR Command ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- o Any combination of the above ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt:5.2. Accounting Functionality ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: Accounting functionality (the accounting session state machine, ../data/rfc/rfc6736.txt- related Command Codes and AVPs) is defined in Section 9. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-5.3. Use of Sessions ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- Each DNCA session MUST have a globally unique Session-Id, as defined ../data/rfc/rfc6736.txt- in [RFC6733], which MUST NOT be changed during the lifetime of the ../data/rfc/rfc6736.txt- DNCA session. The Diameter Session-Id serves as the global endpoint ../data/rfc/rfc6736.txt- identifier. The DNCA Diameter peers maintain state associated with ../data/rfc/rfc6736.txt- the Session-Id. This globally unique Session-Id is used for ../data/rfc/rfc6736.txt: updating, accounting, and terminating the session. A DNCA session ../data/rfc/rfc6736.txt- MUST NOT have more than one outstanding request at any given time. A ../data/rfc/rfc6736.txt- DNCA Diameter peer sends an Abort-Session-Request as defined in ../data/rfc/rfc6736.txt- [RFC6733] if it is unable to maintain sessions due to resource ../data/rfc/rfc6736.txt- limitation. ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt-Brockners, et al. Standards Track [Page 39] ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt-RFC 6736 Diameter NAT Control Application October 2012 ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt:9. Accounting Commands ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt: The DNCA reuses session-based accounting as defined in the Diameter ../data/rfc/rfc6736.txt- base protocol [RFC6733] to report the bindings per endpoint. This ../data/rfc/rfc6736.txt: reporting is achieved by sending Diameter Accounting-Request (ACR) ../data/rfc/rfc6736.txt- commands [Start, Interim, and Stop] from the DNCA Diameter peer ../data/rfc/rfc6736.txt- within the NAT device to its associated DNCA Diameter peer within the ../data/rfc/rfc6736.txt- NAT controller. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The DNCA Diameter peer within the NAT device sends an ACR Start on -- ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The function of correlating the multiple bindings used by an endpoint ../data/rfc/rfc6736.txt- at any given time is relegated to the post processor. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The DNCA Diameter peer within the NAT device may trigger an Interim ../data/rfc/rfc6736.txt: accounting record when the maximum number of bindings, if received in ../data/rfc/rfc6736.txt- an NCR, is reached. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt:9.1. NAT Control Accounting Messages ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The ACR and ACA messages are reused as defined in the Diameter base ../data/rfc/rfc6736.txt- protocol [RFC6733] for exchanging endpoint NAT-binding details ../data/rfc/rfc6736.txt- between the DNCA Diameter peers. The DNCA Application ID is used in ../data/rfc/rfc6736.txt: the accounting commands. The ACR contains one or more optional NAT- ../data/rfc/rfc6736.txt- Control-Record AVPs to report the bindings. The NAT device indicates ../data/rfc/rfc6736.txt- the number of allocated NAT-bindings to the NAT controller using the ../data/rfc/rfc6736.txt- Current-NAT-Bindings AVP. This number needs to match the number of ../data/rfc/rfc6736.txt- bindings identified as active within the NAT-Control-Record AVP. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt:9.2. NAT Control Accounting AVPs ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- In addition to AVPs for ACR specified in [RFC6733], the DNCA Diameter ../data/rfc/rfc6736.txt- peer within the NAT device must add the NAT-Control-Record AVP. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- -- ../data/rfc/rfc6736.txt- Remove AVPs could be present in an update or initial requests. ../data/rfc/rfc6736.txt- Consider the following examples: ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- Neither the NAT-Control-Install AVP nor the NAT-Control-Remove AVP ../data/rfc/rfc6736.txt- is present: This could, for example, be the case if the NAT ../data/rfc/rfc6736.txt: controller would only want to receive accounting information but ../data/rfc/rfc6736.txt- not control NAT-bindings. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- Only NAT-Control-Install AVP is present: This could, for example, ../data/rfc/rfc6736.txt- be the case if a new NAT-binding is installed for an existing ../data/rfc/rfc6736.txt- session. -- ../data/rfc/rfc6736.txt- |NAT-External-Address 0+ 0 | ../data/rfc/rfc6736.txt- |Current-NAT-Bindings 0 1 | ../data/rfc/rfc6736.txt- |Duplicate-Session-Id 0 0 | ../data/rfc/rfc6736.txt- +-------------------------------------------------------+ ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt:10.3. DNCA AVP Table for Accounting Messages ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- The following table lists DNCA-specific AVPs, which may or may not be ../data/rfc/rfc6736.txt- present in ACR and ACA messages. ../data/rfc/rfc6736.txt- +-------------------+ ../data/rfc/rfc6736.txt- | Command Code | -- ../data/rfc/rfc6736.txt- Auth-Application-Id = <DNCA Application ID> ../data/rfc/rfc6736.txt- Origin-Host = "nat-device.example.com" ../data/rfc/rfc6736.txt- Origin-Realm = "example.com" ../data/rfc/rfc6736.txt- Destination-Realm = "example.com" ../data/rfc/rfc6736.txt- Destination-Host = "natC.example.com" ../data/rfc/rfc6736.txt: Accounting-Record-Type = STOP_RECORD ../data/rfc/rfc6736.txt: Accounting-Record-Number = 1 ../data/rfc/rfc6736.txt- NAT-Control-Record = { ../data/rfc/rfc6736.txt- NAT-Control-Definition = { ../data/rfc/rfc6736.txt- Protocol = TCP ../data/rfc/rfc6736.txt- Direction = OUT ../data/rfc/rfc6736.txt- NAT-Internal-Address = { -- ../data/rfc/rfc6736.txt- <ACA> ::= < Diameter Header: 271, PXY > ../data/rfc/rfc6736.txt- Session-Id = "natC.example.com:33041;23432;" ../data/rfc/rfc6736.txt- Origin-Host = "natC.example.com" ../data/rfc/rfc6736.txt- Origin-Realm = "example.com" ../data/rfc/rfc6736.txt- Result-Code = DIAMETER_SUCCESS ../data/rfc/rfc6736.txt: Accounting-Record-Type = STOP_RECORD ../data/rfc/rfc6736.txt: Accounting-Record-Number = 1 ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- 6. On receipt of the ACA the NAT device cleans up all NAT-bindings ../data/rfc/rfc6736.txt- and associated session state for the endpoint. ../data/rfc/rfc6736.txt- ../data/rfc/rfc6736.txt- 7. NAT device sends an STA. On receipt of the STA the NAT -- ../data/rfc/rfc5224.txt- This specification assigns the value 314 from the Command Code ../data/rfc/rfc5224.txt- namespace defined in [RFC3588]. See Section 5.4.1.3.1 of [PEM-1-TS] ../data/rfc/rfc5224.txt- to see how the command code is used. ../data/rfc/rfc5224.txt- ../data/rfc/rfc5224.txt- IANA has made the following assignment in the "Authentication, ../data/rfc/rfc5224.txt: Authorization, and Accounting (AAA) Parameters" registry, in the sub- ../data/rfc/rfc5224.txt- registry "Command Codes". ../data/rfc/rfc5224.txt- ../data/rfc/rfc5224.txt- Code Value Name Reference ../data/rfc/rfc5224.txt- -------------- ------------------------------- --------- ../data/rfc/rfc5224.txt- 314 PDR / PDA [RFC5224] -- ../data/rfc/rfc5216.txt- Since the identity presented in the EAP-Response/Identity need not be ../data/rfc/rfc5216.txt- related to the identity presented in the peer certificate, EAP-TLS ../data/rfc/rfc5216.txt- implementations SHOULD NOT require that they be identical. However, ../data/rfc/rfc5216.txt- if they are not identical, the identity presented in the EAP- ../data/rfc/rfc5216.txt- Response/Identity is unauthenticated information, and SHOULD NOT be ../data/rfc/rfc5216.txt: used for access control or accounting purposes. ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- -- ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt-5.2. Peer and Server Identities ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- The EAP-TLS peer name (Peer-Id) represents the identity to be used ../data/rfc/rfc5216.txt: for access control and accounting purposes. The Server-Id represents ../data/rfc/rfc5216.txt- the identity of the EAP server. Together the Peer-Id and Server-Id ../data/rfc/rfc5216.txt- name the entities involved in deriving the MSK/EMSK. ../data/rfc/rfc5216.txt- ../data/rfc/rfc5216.txt- In EAP-TLS, the Peer-Id and Server-Id are determined from the subject ../data/rfc/rfc5216.txt- or subjectAltName fields in the peer and server certificates. For -- ../data/rfc/rfc2456.txt- is active; and on row deletion is the last state was active, in which ../data/rfc/rfc2456.txt- case the notification indicates that the state is now inactive. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- The SNANAU APPN MIB also provides a mechanism for a management ../data/rfc/rfc2456.txt- station to collect traffic statistics on intermediate sessions, ../data/rfc/rfc2456.txt: primarily for accounting purposes. However, when the session is ../data/rfc/rfc2456.txt- terminated, all statistics from the last poll until the session ../data/rfc/rfc2456.txt- termination time are lost, since the row for that session is deleted ../data/rfc/rfc2456.txt- from the appnIsInTable. This MIB defines a notification so that the ../data/rfc/rfc2456.txt- session's final statistics can be sent to a management station. If ../data/rfc/rfc2456.txt- the notification is not delivered, the final session statistics are -- ../data/rfc/rfc2456.txt- The APPN TRAP MIB module contains a group of notifications, and a ../data/rfc/rfc2456.txt- group of supporting objects. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- The group of notifications consists of the following notifications: ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt: 1) appnIsrAccountingDataTrap ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- This notification is generated by an APPN device when an intermediate ../data/rfc/rfc2456.txt: session is terminating, to report the final accounting statistics of ../data/rfc/rfc2456.txt- the session. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- 2) appnLocalTgOperStateChangeTrap ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- This notification identifies a change to the appnLocalTgOperational -- ../data/rfc/rfc2456.txt- This notification identifies a change to the dlurDlusSessnStatus ../data/rfc/rfc2456.txt- object in a row of the SNANAU DLUR MIB dlurDlusTable. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- The group of supporting objects contains the appnTrapControl object, ../data/rfc/rfc2456.txt- which controls whether the APPN device generates each type of ../data/rfc/rfc2456.txt: notification. Note that generation of the appnIsrAccountingDataTrap ../data/rfc/rfc2456.txt- is not controlled by this object; instead it is controlled by the ../data/rfc/rfc2456.txt- appnIsInGlobalCtrAdminStatus object in the SNANAU APPN MIB. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- Although APPN notification generation could be controlled solely by ../data/rfc/rfc2456.txt- entries in the snmpNotificationMIB, RFC 2273 [9], the appnTrapControl -- ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt--- ********************************************************************* ../data/rfc/rfc2456.txt--- Notifications ../data/rfc/rfc2456.txt--- ********************************************************************* ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt:appnIsrAccountingDataTrap NOTIFICATION-TYPE ../data/rfc/rfc2456.txt- OBJECTS { ../data/rfc/rfc2456.txt- appnIsInP2SFmdPius, ../data/rfc/rfc2456.txt- appnIsInS2PFmdPius, ../data/rfc/rfc2456.txt- appnIsInP2SNonFmdPius, ../data/rfc/rfc2456.txt- appnIsInS2PNonFmdPius, -- ../data/rfc/rfc2456.txt- DESCRIPTION ../data/rfc/rfc2456.txt- "When it has been enabled, this notification is generated by an ../data/rfc/rfc2456.txt- APPN node whenever an ISR session passing through the node is ../data/rfc/rfc2456.txt- taken down, regardless of whether the session went down ../data/rfc/rfc2456.txt- normally or abnormally. Its purpose is to allow a management ../data/rfc/rfc2456.txt: application (primarily an accounting application) that is ../data/rfc/rfc2456.txt- monitoring the ISR counts to receive the final values of these ../data/rfc/rfc2456.txt- counts, so that the application can properly account for the ../data/rfc/rfc2456.txt- amounts the counts were incremented since the last time the ../data/rfc/rfc2456.txt- application polled them. The appnIsInSessUpTime object ../data/rfc/rfc2456.txt- provides the total amount of time that the session was active. -- ../data/rfc/rfc2456.txt- notifications of that type, subject to further filtering ../data/rfc/rfc2456.txt- resulting from entries in the snmpNotificationMIB. Setting ../data/rfc/rfc2456.txt- this bit to 0 disables generation of notifications of that ../data/rfc/rfc2456.txt- type. ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt: Note that generation of the appnIsrAccountingDataTrap is ../data/rfc/rfc2456.txt- controlled by the appnIsInGlobeCtrAdminStatus object in ../data/rfc/rfc2456.txt- the APPN MIB: if counts of intermediate session traffic ../data/rfc/rfc2456.txt- are being kept at all, then the notification is also enabled." ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt- ::= { appnTrapObjects 1 } -- ../data/rfc/rfc2456.txt- ::= {appnCompliances 2 } ../data/rfc/rfc2456.txt- ../data/rfc/rfc2456.txt--- Units of conformance ../data/rfc/rfc2456.txt-appnTrapMibIsrNotifGroup NOTIFICATION-GROUP ../data/rfc/rfc2456.txt- NOTIFICATIONS { ../data/rfc/rfc2456.txt: appnIsrAccountingDataTrap ../data/rfc/rfc2456.txt- } ../data/rfc/rfc2456.txt- STATUS current ../data/rfc/rfc2456.txt- DESCRIPTION ../data/rfc/rfc2456.txt- "A notification for reporting the final values of the ../data/rfc/rfc2456.txt- APPN MIB's ISR counters." -- ../data/rfc/rfc5415.txt-12.1. CAPWAP Security ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- As it is currently specified, the CAPWAP protocol sits between the ../data/rfc/rfc5415.txt- security mechanisms specified by the wireless link layer protocol ../data/rfc/rfc5415.txt- (e.g., IEEE 802.11i) and Authentication, Authorization, and ../data/rfc/rfc5415.txt: Accounting (AAA). One goal of CAPWAP is to bootstrap trust between ../data/rfc/rfc5415.txt- the STA and WTP using a series of preestablished trust relationships: ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- STA WTP AC AAA ../data/rfc/rfc5415.txt- ============================================== ../data/rfc/rfc5415.txt- -- ../data/rfc/rfc5415.txt- automatic key generation and periodic update, or it MAY be ../data/rfc/rfc5415.txt- accomplished manually instead. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- Every pairwise combination of WTP and AC on the network SHOULD have a ../data/rfc/rfc5415.txt- unique PSK. This prevents the domino effect (see "Guidance for ../data/rfc/rfc5415.txt: Authentication, Authorization, and Accounting (AAA) Key Management" ../data/rfc/rfc5415.txt- [RFC4962]). If PSKs are tied to specific WTPs, then knowledge of the ../data/rfc/rfc5415.txt- PSK implies a binding to a specified identity that can be authorized. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- If PSKs are shared, this binding between device and identity is no ../data/rfc/rfc5415.txt- longer possible. Compromise of one WTP can yield compromise of -- ../data/rfc/rfc5415.txt- [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The ../data/rfc/rfc5415.txt- Addition of Explicit Congestion Notification (ECN) ../data/rfc/rfc5415.txt- to IP", RFC 3168, September 2001. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, ../data/rfc/rfc5415.txt: Authorization and Accounting (AAA) Transport ../data/rfc/rfc5415.txt- Profile", RFC 3539, June 2003. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ../data/rfc/rfc5415.txt- ISO 10646", STD 63, RFC 3629, November 2003. ../data/rfc/rfc5415.txt- -- ../data/rfc/rfc5415.txt- L. Yang, "Objectives for Control and Provisioning ../data/rfc/rfc5415.txt- of Wireless Access Points (CAPWAP)", RFC 4564, ../data/rfc/rfc5415.txt- July 2006. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for ../data/rfc/rfc5415.txt: Authentication, Authorization, and Accounting ../data/rfc/rfc5415.txt- (AAA) Key Management", BCP 132, RFC 4962, ../data/rfc/rfc5415.txt- July 2007. ../data/rfc/rfc5415.txt- ../data/rfc/rfc5415.txt- [LWAPP] Calhoun, P., O'Hara, B., Suri, R., Cam Winget, N., ../data/rfc/rfc5415.txt- Kelly, S., Williams, M., and S. Hares, -- ../data/rfc/rfc1699.txt-Elliott Informational [Page 6] ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt-RFC 1699 Summary of 1600-1699 January 1997 ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt:1672 Brownless Aug 94 Accounting Requirements for IPng ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt:This white paper discusses accounting requirements for IPng. It ../data/rfc/rfc1699.txt:recommends that all IPng packets carry accounting tags, which would vary ../data/rfc/rfc1699.txt-in size. This memo provides information for the Internet community. ../data/rfc/rfc1699.txt-This memo does not specify an Internet standard of any kind. ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt- ../data/rfc/rfc1699.txt-1671 Carpenter Aug 94 IPng White Paper on Transition and Other -- ../data/rfc/rfc4083.txt- In order to use the 3GPP IMS, a user is assigned a private user ../data/rfc/rfc4083.txt- identity. The home network operator assigns the private user ../data/rfc/rfc4083.txt- identity, which is used to identify the user uniquely from a network ../data/rfc/rfc4083.txt- perspective. The private user identity is used, for example, for ../data/rfc/rfc4083.txt- authentication, authorization, administration, and, possibly, ../data/rfc/rfc4083.txt: accounting purposes. Note that the private user identity is not used ../data/rfc/rfc4083.txt- for routing of SIP messages. ../data/rfc/rfc4083.txt- ../data/rfc/rfc4083.txt- The private user identity is a unique global identity defined by the ../data/rfc/rfc4083.txt- Home Network Operator. The identity takes the form of a Network ../data/rfc/rfc4083.txt- Access Identifier (NAI) as defined in RFC 2486 [6]. -- ../data/rfc/rfc6929.txt- We define a new data type in RADIUS, called "integer64", which ../data/rfc/rfc6929.txt- carries a 64-bit unsigned integer in network byte order. ../data/rfc/rfc6929.txt- ../data/rfc/rfc6929.txt- This data type is intended to be used in any situation where there is ../data/rfc/rfc6929.txt- a need to have counters that can count past 2^32. The expected use ../data/rfc/rfc6929.txt: of this data type is within Accounting-Request packets, but this data ../data/rfc/rfc6929.txt- type SHOULD be used in any packet where 32-bit integers are expected ../data/rfc/rfc6929.txt- to be insufficient. ../data/rfc/rfc6929.txt- ../data/rfc/rfc6929.txt- The "integer64" data type can be used in Attributes of any format, ../data/rfc/rfc6929.txt- standard space, extended attributes, TLVs, and VSAs. -- ../data/rfc/rfc6929.txt- ../data/rfc/rfc6929.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6929.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc6929.txt- RFC 2865, June 2000. ../data/rfc/rfc6929.txt- ../data/rfc/rfc6929.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6929.txt- ../data/rfc/rfc6929.txt- [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote ../data/rfc/rfc6929.txt- Authentication Dial In User Service)", RFC 3575, ../data/rfc/rfc6929.txt- July 2003. ../data/rfc/rfc6929.txt- -- ../data/rfc/rfc2599.txt-[STANDARDS-TRACK] ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt-2513 McCloghrie Feb 1999 Managed Objects for ../data/rfc/rfc2599.txt- Controlling the Collection ../data/rfc/rfc2599.txt: and Storage of Accounting ../data/rfc/rfc2599.txt- Information for Connection- ../data/rfc/rfc2599.txt- Oriented Networks ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt-This memo defines a portion of the Management Information Base (MIB) for ../data/rfc/rfc2599.txt-use with network management protocols in the Internet community. In ../data/rfc/rfc2599.txt-particular, it describes managed objects used for controlling the ../data/rfc/rfc2599.txt:collection and storage of accounting information for connection-oriented ../data/rfc/rfc2599.txt-networks such as ATM. [STANDARDS-TRACK] ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt:2512 McCloghrie Feb 1999 Accounting Information for ATM ../data/rfc/rfc2599.txt- Networks ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt-This memo defines a portion of the Management Information Base (MIB) for ../data/rfc/rfc2599.txt-use with network management protocols in the Internet community. This ../data/rfc/rfc2599.txt:memo defines a set of ATM-specific accounting information which can be ../data/rfc/rfc2599.txt-collected for connections on ATM networks. [STANDARDS-TRACK] ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt- ../data/rfc/rfc2599.txt-2511 Myers Mar 1999 Internet X.509 Certificate ../data/rfc/rfc2599.txt- Request Message Format -- ../data/rfc/rfc1045.txt-communication activity for purposes of resource allocation and ../data/rfc/rfc1045.txt-management. For example, when a lock is requested on a file, the lock ../data/rfc/rfc1045.txt-is associated with the process, not the requesting entity, allowing a ../data/rfc/rfc1045.txt-process to use multiple entity identifiers to perform operations without ../data/rfc/rfc1045.txt-lock conflict between these entities. The principal associated with an ../data/rfc/rfc1045.txt:entity specifies the permissions, security and accounting designation ../data/rfc/rfc1045.txt-associated with the entity. The process and principal identifiers are ../data/rfc/rfc1045.txt-included in VMTP solely to make these values available to VMTP users ../data/rfc/rfc1045.txt-with the security and efficiency provided by VMTP. Only the entity ../data/rfc/rfc1045.txt-identifiers are actively used by the protocol. ../data/rfc/rfc1045.txt- -- ../data/rfc/rfc7224.txt- identity ieee8023adLag { ../data/rfc/rfc7224.txt- base iana-interface-type; ../data/rfc/rfc7224.txt- description ../data/rfc/rfc7224.txt- "IEEE 802.3ad Link Aggregate."; ../data/rfc/rfc7224.txt- } ../data/rfc/rfc7224.txt: identity bgppolicyaccounting { ../data/rfc/rfc7224.txt- base iana-interface-type; ../data/rfc/rfc7224.txt- description ../data/rfc/rfc7224.txt: "BGP Policy Accounting."; ../data/rfc/rfc7224.txt- } ../data/rfc/rfc7224.txt- ../data/rfc/rfc7224.txt- ../data/rfc/rfc7224.txt- ../data/rfc/rfc7224.txt-Bjorklund Standards Track [Page 21] -- ../data/rfc/rfc2750.txt- ../data/rfc/rfc2750.txt- 0 = ERR_INFO : Information reporting ../data/rfc/rfc2750.txt- 1 = ERR_WARN : Warning ../data/rfc/rfc2750.txt- 2 = ERR_UNKNOWN : Reason unknown ../data/rfc/rfc2750.txt- 3 = ERR_REJECT : Generic Policy Rejection ../data/rfc/rfc2750.txt: 4 = ERR_EXCEED : Quota or Accounting violation ../data/rfc/rfc2750.txt- 5 = ERR_PREEMPT : Flow was preempted ../data/rfc/rfc2750.txt- 6 = ERR_EXPIRED : Previously installed policy expired (not ../data/rfc/rfc2750.txt- refreshed) ../data/rfc/rfc2750.txt- 7 = ERR_REPLACED: Previous policy data was replaced & caused ../data/rfc/rfc2750.txt- rejection -- ../data/rfc/rfc4778.txt- possible if the attacker has control of a host in the ../data/rfc/rfc4778.txt- communications path between two victim machines, or has ../data/rfc/rfc4778.txt- compromised the routing infrastructure to specifically arrange ../data/rfc/rfc4778.txt- that traffic pass through a compromised machine. There are also ../data/rfc/rfc4778.txt- situations where mirrored traffic (often used for debugging, ../data/rfc/rfc4778.txt: performance monitoring, or accounting purposes) is diverted to a ../data/rfc/rfc4778.txt- compromised machine, which would not necessarily subvert any ../data/rfc/rfc4778.txt- existing topology, and could be harder to detect. In general, the ../data/rfc/rfc4778.txt- goal of a passive attack is to obtain information that the sender ../data/rfc/rfc4778.txt- and receiver would prefer to remain private [RFC3552]. ../data/rfc/rfc4778.txt- -- ../data/rfc/rfc4778.txt- o DoS Mitigation ../data/rfc/rfc4778.txt- ../data/rfc/rfc4778.txt- ../data/rfc/rfc4778.txt- In many instances, a specific protocol currently deployed will offer ../data/rfc/rfc4778.txt- a combination of these services. For example, Authentication, ../data/rfc/rfc4778.txt: Authorization, and Accounting (AAA) can offer user authentication, ../data/rfc/rfc4778.txt- user authorization, and audit/logging services, while the Secure ../data/rfc/rfc4778.txt- SHell (SSH) Protocol can provide data origin authentication, data ../data/rfc/rfc4778.txt- integrity, and data confidentiality. The services offered are more ../data/rfc/rfc4778.txt- important than the actual protocol used. Note that access control ../data/rfc/rfc4778.txt- will refer basically to logical access control, i.e., filtering. -- ../data/rfc/rfc4778.txt- usually 30 days. Every authenticated entity via AAA is an individual ../data/rfc/rfc4778.txt- user for greater granularity of control. Note that often the AAA ../data/rfc/rfc4778.txt- server used for OOB management authentication is a separate physical ../data/rfc/rfc4778.txt- device from the AAA server used for in-band management user ../data/rfc/rfc4778.txt- authentication. In some deployments, the AAA servers used for device ../data/rfc/rfc4778.txt: management authentication/authorization/accounting are on separate ../data/rfc/rfc4778.txt- networks to provide a demarcation for any other authentication ../data/rfc/rfc4778.txt- functions. ../data/rfc/rfc4778.txt- ../data/rfc/rfc4778.txt- For backup purposes, there is often a single local database entry for ../data/rfc/rfc4778.txt- authentication that is known to a very limited set of key personnel. -- ../data/rfc/rfc6696.txt- same domain as the peer, it SHOULD initiate an ERP bootstrap exchange ../data/rfc/rfc6696.txt- with the home ER server to obtain the domain name. ../data/rfc/rfc6696.txt- ../data/rfc/rfc6696.txt- The defined ER extensions allow executing ERP with an ER server in ../data/rfc/rfc6696.txt- the home domain. The home ER server may be co-located with a home ../data/rfc/rfc6696.txt: Authentication, Authorization, and Accounting (AAA) server. ERP with ../data/rfc/rfc6696.txt- the home ER server is similar to the ERP exchange described in ../data/rfc/rfc6696.txt- Figure 1. ../data/rfc/rfc6696.txt- ../data/rfc/rfc6696.txt- Peer ER Authenticator Home ER Server ../data/rfc/rfc6696.txt- ==== ================ ============== -- ../data/rfc/rfc6696.txt- [RFC4187] Arkko, J. and H. Haverinen, "Extensible Authentication ../data/rfc/rfc6696.txt- Protocol Method for 3rd Generation Authentication and Key ../data/rfc/rfc6696.txt- Agreement (EAP-AKA)", RFC 4187, January 2006. ../data/rfc/rfc6696.txt- ../data/rfc/rfc6696.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6696.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc6696.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc6696.txt- ../data/rfc/rfc6696.txt- [RFC5169] Clancy, T., Nakhjiri, M., Narayanan, V., and L. Dondeti, ../data/rfc/rfc6696.txt- "Handover Key Management and Re-Authentication Problem ../data/rfc/rfc6696.txt- Statement", RFC 5169, March 2008. -- ../data/rfc/rfc6674.txt- part of the traffic received from an access device is tunneled over ../data/rfc/rfc6674.txt- the softwire to the AFTR. The combination of CID and SWID must be ../data/rfc/rfc6674.txt- unique between the access gateway and AFTR to identify the flows ../data/rfc/rfc6674.txt- associated with an AD. The CID is typically a 32-bit-wide identifier ../data/rfc/rfc6674.txt- and is assigned by the access gateway. It is retrieved either from a ../data/rfc/rfc6674.txt: local or remote (e.g., Authentication, Authorization, and Accounting ../data/rfc/rfc6674.txt- (AAA)) repository. Like the SWID, the embodiment of the CID depends ../data/rfc/rfc6674.txt- on the tunnel mode used and the type of the network connecting the ../data/rfc/rfc6674.txt- access gateway and AFTR. If, for example, GRE [RFC2784] with GRE Key ../data/rfc/rfc6674.txt- and Sequence Number extensions [RFC2890] is used as the softwire ../data/rfc/rfc6674.txt- technology, the network connecting the access gateway and AFTR could -- ../data/rfc/rfc6674.txt- 3. The access gateway creates an access tunnel endpoint. The access ../data/rfc/rfc6674.txt- tunnel links AD and access gateway. ../data/rfc/rfc6674.txt- ../data/rfc/rfc6674.txt- 4. (Optional): The access gateway and the AFTR establish a control ../data/rfc/rfc6674.txt- session between themselves. This session can, for example, be ../data/rfc/rfc6674.txt: used to exchange accounting or NAT-configuration information. ../data/rfc/rfc6674.txt: Accounting information could be supplied to the access gateway, ../data/rfc/rfc6674.txt- AAA/Policy, or other network entities that require information ../data/rfc/rfc6674.txt- about the externally visible address/port pairs of a particular ../data/rfc/rfc6674.txt- access device. The Diameter NAT Control Application ../data/rfc/rfc6674.txt- [NAT-CONTROL] could, for example, be used for this purpose. ../data/rfc/rfc6674.txt- -- ../data/rfc/rfc7843.txt- IGD-PCP IWF. Depending on an actual implementation, the UPnP IGD-PCP ../data/rfc/rfc7843.txt- IWF can then either use the ID of the tunnel in which the UPnP ../data/rfc/rfc7843.txt- message arrived directly as the THIRD_PARTY_ID option for PCP ../data/rfc/rfc7843.txt- requests to the CGN, or it uses the ID of the tunnel to retrieve the ../data/rfc/rfc7843.txt- THIRD_PARTY_ID option from the Authentication, Authorization, and ../data/rfc/rfc7843.txt: Accounting (AAA) server. ../data/rfc/rfc7843.txt- ../data/rfc/rfc7843.txt- To support the latter option, the BRAS needs to register the ../data/rfc/rfc7843.txt- subscriber's tunnel IDs at the AAA server at the time it contacts the ../data/rfc/rfc7843.txt- AAA server for authentication and/or authorization of the subscriber. ../data/rfc/rfc7843.txt- The tunnel IDs to be registered per subscriber at the AAA server may -- ../data/rfc/rfc5169.txt- In many common deployment scenarios, an EAP peer and EAP server ../data/rfc/rfc5169.txt- authenticate each other through a third party known as the pass- ../data/rfc/rfc5169.txt- through authenticator (hereafter referred to as simply ../data/rfc/rfc5169.txt- "authenticator"). The authenticator is responsible for encapsulating ../data/rfc/rfc5169.txt- EAP packets from a network-access technology lower layer within the ../data/rfc/rfc5169.txt: Authentication, Authorization, and Accounting (AAA) protocol. The ../data/rfc/rfc5169.txt- authenticator does not directly participate in the EAP exchange, and ../data/rfc/rfc5169.txt- simply acts as a gateway during the EAP method execution. ../data/rfc/rfc5169.txt- ../data/rfc/rfc5169.txt- After successful authentication, the EAP server transports the MSK to ../data/rfc/rfc5169.txt- the authenticator. Note that this is performed using AAA protocols, -- ../data/rfc/rfc5169.txt- "Extensible Authentication Protocol (EAP) ../data/rfc/rfc5169.txt- Method Requirements for Wireless LANs", ../data/rfc/rfc5169.txt- RFC 4017, March 2005. ../data/rfc/rfc5169.txt- ../data/rfc/rfc5169.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for ../data/rfc/rfc5169.txt: Authentication, Authorization, and Accounting ../data/rfc/rfc5169.txt- (AAA) Key Management", BCP 132, RFC 4962, ../data/rfc/rfc5169.txt- July 2007. ../data/rfc/rfc5169.txt- ../data/rfc/rfc5169.txt-10.2. Informative References ../data/rfc/rfc5169.txt- -- ../data/rfc/rfc5106.txt- Note, however, that the EAP peer provides its identity in message 2 ../data/rfc/rfc5106.txt- in Figure 1 in cleartext. In order to provide identity ../data/rfc/rfc5106.txt- confidentiality as discussed in the previous paragraphs, it is ../data/rfc/rfc5106.txt- necessary to obfuscate the username part of the identity (the realm ../data/rfc/rfc5106.txt- part must stay intact to allow correct message routing by the ../data/rfc/rfc5106.txt: Authentication, Authorization, and Accounting (AAA) infrastructure). ../data/rfc/rfc5106.txt- The EAP server then uses the identity information in message 4. The ../data/rfc/rfc5106.txt- same mechanism is also used by other EAP methods to provide identity ../data/rfc/rfc5106.txt- confidentiality, for example, EAP-TTLS [8]. ../data/rfc/rfc5106.txt- ../data/rfc/rfc5106.txt-10.6. Key Strength -- ../data/rfc/rfc3295.txt- The group of notifications consists of the following notifications: ../data/rfc/rfc3295.txt- ../data/rfc/rfc3295.txt- - gsmpSessionDown ../data/rfc/rfc3295.txt- ../data/rfc/rfc3295.txt- This notification is generated when a session is terminating and also ../data/rfc/rfc3295.txt: reports the final accounting statistics of the session. ../data/rfc/rfc3295.txt- ../data/rfc/rfc3295.txt- - gsmpSessionUp ../data/rfc/rfc3295.txt- ../data/rfc/rfc3295.txt- This notification is generated when a new session is established. ../data/rfc/rfc3295.txt- -- ../data/rfc/rfc3295.txt- DESCRIPTION ../data/rfc/rfc3295.txt- "When it has been enabled, this notification is ../data/rfc/rfc3295.txt- generated whenever a session is taken down, regardless ../data/rfc/rfc3295.txt- of whether the session went down normally or not. ../data/rfc/rfc3295.txt- Its purpose is to allow a management application ../data/rfc/rfc3295.txt: (primarily an accounting application) that is ../data/rfc/rfc3295.txt- monitoring the session statistics to receive the final ../data/rfc/rfc3295.txt- values of these counters, so that the application can ../data/rfc/rfc3295.txt- properly account for the amounts the counters were ../data/rfc/rfc3295.txt- incremented since the last time the application polled ../data/rfc/rfc3295.txt- them. The gsmpSessionStartUptime object provides the -- ../data/rfc/rfc8993.txt- a network with no predefined topology, ideally no manual ../data/rfc/rfc8993.txt- configuration of any kind, and with nodes starting up from factory ../data/rfc/rfc8993.txt- condition or after any form of failure or sudden topology change. ../data/rfc/rfc8993.txt- ../data/rfc/rfc8993.txt- Second, network services such as Authentication, Authorization, and ../data/rfc/rfc8993.txt: Accounting (AAA) should also be discovered and not configured. ../data/rfc/rfc8993.txt- Service discovery is required for such tasks. An Autonomic Network ../data/rfc/rfc8993.txt- can leverage existing service discovery functions, use a new ../data/rfc/rfc8993.txt- approach, or use a mixture. ../data/rfc/rfc8993.txt- ../data/rfc/rfc8993.txt- Thus, the discovery mechanism could either be fully integrated with -- ../data/rfc/rfc5176.txt- This document frequently uses the following terms: ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Dynamic Authorization Client (DAC) ../data/rfc/rfc5176.txt- The entity originating Change of Authorization (CoA) Requests or ../data/rfc/rfc5176.txt- Disconnect-Requests. While it is possible that the DAC is ../data/rfc/rfc5176.txt: co-resident with a RADIUS authentication or accounting server, ../data/rfc/rfc5176.txt- this need not necessarily be the case. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Dynamic Authorization Server (DAS) ../data/rfc/rfc5176.txt- The entity receiving CoA-Request or Disconnect-Request packets. ../data/rfc/rfc5176.txt- The DAS may be a NAS or a RADIUS proxy. -- ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- The packet format consists of the following fields: Code, Identifier, ../data/rfc/rfc5176.txt- Length, Authenticator, and Attributes in Type-Length-Value (TLV) ../data/rfc/rfc5176.txt- format. All fields hold the same meaning as those described in ../data/rfc/rfc5176.txt- RADIUS [RFC2865]. The Authenticator field MUST be calculated in the ../data/rfc/rfc5176.txt: same way as is specified for an Accounting-Request in [RFC2866]. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- 0 1 2 3 ../data/rfc/rfc5176.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc5176.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc5176.txt- | Code | Identifier | Length | -- ../data/rfc/rfc5176.txt- Request Authenticator ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- In Request packets, the Authenticator value is a 16-octet MD5 ../data/rfc/rfc5176.txt- [RFC1321] checksum, called the Request Authenticator. The ../data/rfc/rfc5176.txt- Request Authenticator is calculated the same way as for an ../data/rfc/rfc5176.txt: Accounting-Request, specified in [RFC2866]. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Note that the Request Authenticator of a CoA-Request or ../data/rfc/rfc5176.txt- Disconnect-Request cannot be computed the same way as the ../data/rfc/rfc5176.txt- Request Authenticator of a RADIUS Access-Request, because there ../data/rfc/rfc5176.txt- is no User-Password Attribute in a CoA-Request or Disconnect- -- ../data/rfc/rfc5176.txt- or Disconnect messages, and if so, which messages it can be ../data/rfc/rfc5176.txt- included in and whether it serves as an identification or ../data/rfc/rfc5176.txt- authorization attribute. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Even if a NAS implements an attribute for use with RADIUS ../data/rfc/rfc5176.txt: authentication and accounting, it is possible that it will not ../data/rfc/rfc5176.txt- support inclusion of that attribute within CoA-Request and ../data/rfc/rfc5176.txt- Disconnect-Request packets, given the difference in attribute ../data/rfc/rfc5176.txt- semantics. This is true even for attributes specified as ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- -- ../data/rfc/rfc5176.txt- To address security concerns described in Section 6.1, either the ../data/rfc/rfc5176.txt- User-Name or Chargeable-User-Identity attribute SHOULD be present in ../data/rfc/rfc5176.txt- Disconnect-Request and CoA-Request packets. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Where a Diameter client utilizes the same Session-Id for both ../data/rfc/rfc5176.txt: authorization and accounting, inclusion of an Acct-Session-Id ../data/rfc/rfc5176.txt- Attribute in a Disconnect-Request or CoA-Request can assist with ../data/rfc/rfc5176.txt- Diameter/RADIUS translation, since Diameter RAR and ASR commands ../data/rfc/rfc5176.txt- include a Session-Id AVP. An Acct-Session-Id Attribute SHOULD be ../data/rfc/rfc5176.txt- included in Disconnect-Request and CoA-Request packets. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- A NAS implementing this specification SHOULD send an Acct-Session-Id ../data/rfc/rfc5176.txt- or Acct-Multi-Session-Id Attribute within an Access-Request. Where ../data/rfc/rfc5176.txt- an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included ../data/rfc/rfc5176.txt- within an Access-Request, the Dynamic Authorization Client will not ../data/rfc/rfc5176.txt- know the Acct-Session-Id or Acct-Multi-Session-Id of the session it ../data/rfc/rfc5176.txt: is attempting to target, unless it also has access to the accounting ../data/rfc/rfc5176.txt- data for that session. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not ../data/rfc/rfc5176.txt- present in a CoA-Request or Disconnect-Request, it is possible that ../data/rfc/rfc5176.txt- the User-Name or Chargeable-User-Identity attributes will not be -- ../data/rfc/rfc5176.txt- attributes. If other attributes are included in a Disconnect- ../data/rfc/rfc5176.txt- Request, implementations MUST send a Disconnect-NAK; an Error-Cause ../data/rfc/rfc5176.txt- Attribute with value "Unsupported Attribute" MAY be included. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- The DAC may require access to data from RADIUS authentication or ../data/rfc/rfc5176.txt: accounting packets. It uses this data to compose compliant CoA- ../data/rfc/rfc5176.txt- Request or Disconnect-Request packets. For example, as described in ../data/rfc/rfc5176.txt- Section 3.3, a CoA-Request packet containing a Service-Type Attribute ../data/rfc/rfc5176.txt- with a value of "Authorize Only" is required to contain a State ../data/rfc/rfc5176.txt- Attribute. The NAS will subsequently transmit this attribute to the ../data/rfc/rfc5176.txt- RADIUS server in an Access-Request. In order for the DAC to include -- ../data/rfc/rfc5176.txt- attribute value is to remain unchanged. Attributes included in a ../data/rfc/rfc5176.txt- CoA-Request replace all existing values of the same attribute(s). ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- (Note 4) When included within a successful Disconnect-Request (where ../data/rfc/rfc5176.txt- a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be ../data/rfc/rfc5176.txt: sent unmodified by the NAS to the RADIUS accounting server in the ../data/rfc/rfc5176.txt: Accounting Stop packet. If the Disconnect-Request is unsuccessful, ../data/rfc/rfc5176.txt- then the Class Attribute is not processed. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- (Note 5) When included within a CoA-Request, these attributes ../data/rfc/rfc5176.txt- represent an authorization change request. Where tunnel attributes ../data/rfc/rfc5176.txt- are included within a successful CoA-Request, all existing tunnel -- ../data/rfc/rfc5176.txt- Session-Id AVP and a Re-Auth-Request-Type AVP with value "AUTHORIZE ../data/rfc/rfc5176.txt- ONLY". Then the Diameter/RADIUS gateway will respond to the ensuing ../data/rfc/rfc5176.txt- access request with a response including the authorization attributes ../data/rfc/rfc5176.txt- gleaned from the CoA-Request. To enable translation, the CoA-Request ../data/rfc/rfc5176.txt- SHOULD include a Acct-Session-Id Attribute. If the Diameter client ../data/rfc/rfc5176.txt: uses the same Session-Id for both authorization and accounting, then ../data/rfc/rfc5176.txt- the Diameter/RADIUS gateway can copy the contents of the Acct- ../data/rfc/rfc5176.txt- Session-Id Attribute into the Session-Id AVP; otherwise, it will ../data/rfc/rfc5176.txt- need to map the Acct-Session-Id value to an equivalent Session-Id for ../data/rfc/rfc5176.txt- use within a RAR command. ../data/rfc/rfc5176.txt- -- ../data/rfc/rfc5176.txt-RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- translated to a Disconnect-Request containing Acct-Session-Id and ../data/rfc/rfc5176.txt- User-Name attributes. If the Diameter client utilizes the same ../data/rfc/rfc5176.txt: Session-Id in both authorization and accounting, then the value of ../data/rfc/rfc5176.txt- the Session-ID AVP may be placed in the Acct-Session-Id Attribute; ../data/rfc/rfc5176.txt- otherwise the value of the Session-ID AVP will need to be mapped to ../data/rfc/rfc5176.txt- an appropriate Acct-Session-Id Attribute. To enable translation of a ../data/rfc/rfc5176.txt- Disconnect-Request to an ASR, an Acct-Session-Id Attribute SHOULD be ../data/rfc/rfc5176.txt- present. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- If the Diameter client utilizes the same Session-Id in both ../data/rfc/rfc5176.txt: authorization and accounting, then the value of the Acct-Session-Id ../data/rfc/rfc5176.txt- Attribute may be placed into the Session-ID AVP within the ASR; ../data/rfc/rfc5176.txt- otherwise the value of the Acct-Session-Id Attribute will need to be ../data/rfc/rfc5176.txt- mapped to an appropriate Session-ID AVP. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- An Abort-Session-Answer (ASA) command is sent in response to an ASR -- ../data/rfc/rfc5176.txt- affecting the sessions of another provider. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- A Dynamic Authorization Server MUST silently discard Disconnect- ../data/rfc/rfc5176.txt- Request or CoA-Request packets from untrusted sources. In situations ../data/rfc/rfc5176.txt- where the Dynamic Authorization Client is co-resident with a RADIUS ../data/rfc/rfc5176.txt: authentication or accounting server, a proxy MAY perform a "reverse ../data/rfc/rfc5176.txt- path forwarding" (RPF) check to verify that a Disconnect-Request or ../data/rfc/rfc5176.txt- CoA-Request originates from an authorized Dynamic Authorization ../data/rfc/rfc5176.txt- Client. In addition, it SHOULD be possible to explicitly authorize ../data/rfc/rfc5176.txt- additional sources of Disconnect-Request or CoA-Request packets ../data/rfc/rfc5176.txt- relating to certain classes of sessions. For example, a particular -- ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, ../data/rfc/rfc5176.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc5176.txt- RFC 2865, June 2000. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- [RFC2869] Rigney, C., Willats W. and P. Calhoun, "RADIUS ../data/rfc/rfc5176.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC -- ../data/rfc/rfc5176.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, ../data/rfc/rfc5176.txt- M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol ../data/rfc/rfc5176.txt- Support", RFC 2868, June 2000. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization ../data/rfc/rfc5176.txt: and Accounting Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc5176.txt- ../data/rfc/rfc5176.txt- [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. ../data/rfc/rfc5176.txt- Aboba, "Dynamic Authorization Extensions to Remote ../data/rfc/rfc5176.txt- Authentication Dial In User Service (RADIUS)", RFC 3576, ../data/rfc/rfc5176.txt- July 2003. -- ../data/rfc/rfc5448.txt- seeing a re-authentication request with a changed network name, the ../data/rfc/rfc5448.txt- server SHOULD behave as if the re-authentication identifier had been ../data/rfc/rfc5448.txt- unrecognized, and fall back to full authentication. The server ../data/rfc/rfc5448.txt- observes the change in the name by comparing where the fast ../data/rfc/rfc5448.txt- re-authentication and full authentication EAP transactions were ../data/rfc/rfc5448.txt: received at the Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5448.txt- protocol level. ../data/rfc/rfc5448.txt- ../data/rfc/rfc5448.txt- AT_KDF has any other value ../data/rfc/rfc5448.txt- ../data/rfc/rfc5448.txt- Future variations of key derivation functions may be defined, and -- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- When this level of accuracy is required and the traffic between a ../data/rfc/rfc8372.txt- source-destination pair is subject to Equal-Cost Multipath (ECMP), a ../data/rfc/rfc8372.txt- demarcation mechanism is needed to group the packets into batches. ../data/rfc/rfc8372.txt- Once a batch is correlated at both ingress and egress, the packet ../data/rfc/rfc8372.txt: accounting mechanism is then able to operate on the batch of packets ../data/rfc/rfc8372.txt- that can be accounted for at both the packet ingress and the packet ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt-Bryant, et al. Informational [Page 3] ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt-RFC 8372 MPLS Flow Identification May 2018 ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt: egress. Errors in the accounting are particularly acute in Label ../data/rfc/rfc8372.txt- Switched Paths (LSPs) subjected to ECMP because the network transit ../data/rfc/rfc8372.txt- time will be different for the various ECMP paths since: ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- 1. the packets may traverse different sets of LSRs; ../data/rfc/rfc8372.txt- -- ../data/rfc/rfc8372.txt- batch represented by a change of identity label will have no impact ../data/rfc/rfc8372.txt- on the ECMP path. If the path member is chosen by reference to an ../data/rfc/rfc8372.txt- entropy label [RFC6790], then changing the batch identifier will not ../data/rfc/rfc8372.txt- result in a change to the chosen ECMP path. ECMP is so pervasive in ../data/rfc/rfc8372.txt- multipoint-to-(multi)point networks that some method of avoiding ../data/rfc/rfc8372.txt: accounting errors introduced by ECMP needs to be supported. ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt-3. Delay Measurement Considerations ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- Most of the existing delay measurement methods are active methods ../data/rfc/rfc8372.txt- that depend on the extra injected test packet to evaluate the delay -- ../data/rfc/rfc8372.txt-4. Units of Identification ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- The most basic unit of identification is the identity of the node ../data/rfc/rfc8372.txt- that processed the packet on its entry to the MPLS network. However, ../data/rfc/rfc8372.txt- the required unit of identification may vary depending on the use ../data/rfc/rfc8372.txt: case for accounting, performance measurement, or other types of ../data/rfc/rfc8372.txt- packet observations. In particular, note that there may be a need to ../data/rfc/rfc8372.txt- impose identity at several different layers of the MPLS label stack. ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- ../data/rfc/rfc8372.txt- -- ../data/rfc/rfc1633.txt-RFC 1633 Integrated Services Architecture June 1994 ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- o Classifier ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt: For the purpose of traffic control (and accounting), each ../data/rfc/rfc1633.txt- incoming packet must be mapped into some class; all packets ../data/rfc/rfc1633.txt- in the same class get the same treatment from the packet ../data/rfc/rfc1633.txt- scheduler. This mapping is performed by the classifier. ../data/rfc/rfc1633.txt- Choice of a class may be based upon the contents of the ../data/rfc/rfc1633.txt- existing packet header(s) and/or some additional -- ../data/rfc/rfc1633.txt-Braden, Clark & Shenker [Page 8] ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt-RFC 1633 Integrated Services Architecture June 1994 ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt: important role in accounting and administrative reporting. ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- The fourth and final component of our implementation framework is ../data/rfc/rfc1633.txt- a reservation setup protocol, which is necessary to create and ../data/rfc/rfc1633.txt- maintain flow-specific state in the endpoint hosts and in routers ../data/rfc/rfc1633.txt- along the path of a flow. Section discusses a reservation setup -- ../data/rfc/rfc1633.txt- delivered. ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- 3.4 Usage Feedback ../data/rfc/rfc1633.txt- ../data/rfc/rfc1633.txt- Another important issue in the service is the model for usage ../data/rfc/rfc1633.txt: feedback, also known as "accounting", to prevent abuse of network ../data/rfc/rfc1633.txt- resources. The link-sharing service described earlier can be ../data/rfc/rfc1633.txt- used to provide administratively-imposed limits on usage. ../data/rfc/rfc1633.txt- However, a more free-market model of network access will require ../data/rfc/rfc1633.txt- back-pressure on users for the network resources they reserve. ../data/rfc/rfc1633.txt- This is a highly contentious issue, and we are not prepared to say -- ../data/rfc/rfc6459.txt- decides to establish a PDN connection with a PDN-GW. The UE ../data/rfc/rfc6459.txt- sends an "Attach" request (layer-2) to the base station (BS). ../data/rfc/rfc6459.txt- The BS forwards this Attach request to the MME. ../data/rfc/rfc6459.txt- ../data/rfc/rfc6459.txt- 2. Authentication of the UE with the Authentication, Authorization, ../data/rfc/rfc6459.txt: and Accounting (AAA) server/HSS follows. If the UE is ../data/rfc/rfc6459.txt- authorized to establish a data connection, the process continues ../data/rfc/rfc6459.txt- with the following steps: ../data/rfc/rfc6459.txt- ../data/rfc/rfc6459.txt- 3. The MME sends a "Create Session" request message to the SGW. ../data/rfc/rfc6459.txt- The SGW forwards the Create Session request to the PDN-GW. The -- ../data/rfc/rfc8376.txt-5. Security Considerations ../data/rfc/rfc8376.txt- ../data/rfc/rfc8376.txt- Most LPWAN technologies integrate some authentication or encryption ../data/rfc/rfc8376.txt- mechanisms that were defined outside the IETF. The LPWAN WG may need ../data/rfc/rfc8376.txt- to do work to integrate these mechanisms to unify management. A ../data/rfc/rfc8376.txt: standardized Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc8376.txt- infrastructure [RFC2904] may offer a scalable solution for some of ../data/rfc/rfc8376.txt- the security and management issues for LPWANs. AAA offers ../data/rfc/rfc8376.txt- centralized management that may be of use in LPWANs, for example ../data/rfc/rfc8376.txt- [LoRaWAN-AUTH] and [LoRaWAN-RADIUS] suggest possible security ../data/rfc/rfc8376.txt- processes for a LoRaWAN network. Similar mechanisms may be useful to -- ../data/rfc/rfc5213.txt- messages or sending binding updates. Therefore, the local mobility ../data/rfc/rfc5213.txt- anchor MUST restrict the creation and manipulation of proxy bindings ../data/rfc/rfc5213.txt- to specifically authorized mobile access gateways and prefixes. The ../data/rfc/rfc5213.txt- local mobility anchor MUST be locally configurable to authorize such ../data/rfc/rfc5213.txt- specific combinations. Additional mechanisms, such as a policy store ../data/rfc/rfc5213.txt: or Authentication, Authorization, and Accounting (AAA) may be ../data/rfc/rfc5213.txt- employed, but these are outside the scope of this specification. ../data/rfc/rfc5213.txt- ../data/rfc/rfc5213.txt- Unlike in Mobile IPv6 [RFC3775], these signaling messages do not ../data/rfc/rfc5213.txt- carry either the Home Address destination option or the Type 2 ../data/rfc/rfc5213.txt- Routing header, and hence the policy entries and security association -- ../data/rfc/rfc5213.txt- connected to the mobile access gateway, the mobile access gateway MAY ../data/rfc/rfc5213.txt- optimize on the delivery efforts by locally routing the packets and ../data/rfc/rfc5213.txt- by not reverse tunneling them to the mobile node's local mobility ../data/rfc/rfc5213.txt- anchor. The flag EnableMAGLocalRouting MAY be used for controlling ../data/rfc/rfc5213.txt- this behavior. However, in some systems, this may have an ../data/rfc/rfc5213.txt: implication on the mobile node's accounting and policy enforcement as ../data/rfc/rfc5213.txt- the local mobility anchor is not in the path for that traffic and it ../data/rfc/rfc5213.txt: will not be able to apply any traffic policies or do any accounting ../data/rfc/rfc5213.txt- for those flows. ../data/rfc/rfc5213.txt- ../data/rfc/rfc5213.txt- This decision of path optimization SHOULD be based on the policy ../data/rfc/rfc5213.txt- configured on the mobile access gateway, but enforced by the mobile ../data/rfc/rfc5213.txt- node's local mobility anchor. The specific details on how this is -- ../data/rfc/rfc7576.txt- 3. Automatic and Autonomic Aspects of Current IP Networks . . . 3 ../data/rfc/rfc7576.txt- 3.1. IP Address Management and DNS . . . . . . . . . . . . . . 3 ../data/rfc/rfc7576.txt- 3.2. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc7576.txt- 3.3. Configuration of Default Router in a Host . . . . . . . . 5 ../data/rfc/rfc7576.txt- 3.4. Hostname Lookup . . . . . . . . . . . . . . . . . . . . . 5 ../data/rfc/rfc7576.txt: 3.5. User Authentication and Accounting . . . . . . . . . . . 6 ../data/rfc/rfc7576.txt- 3.6. Security . . . . . . . . . . . . . . . . . . . . . . . . 6 ../data/rfc/rfc7576.txt- 3.7. State Synchronization . . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc7576.txt- 4. Current Non-autonomic Behaviors . . . . . . . . . . . . . . . 7 ../data/rfc/rfc7576.txt- 4.1. Building a New Network . . . . . . . . . . . . . . . . . 7 ../data/rfc/rfc7576.txt- 4.2. Network Maintenance and Management . . . . . . . . . . . 8 -- ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt- configured with the appropriate DNS server addresses. Additionally, ../data/rfc/rfc7576.txt- some networks deploy Multicast DNS [RFC6762] locally to provide ../data/rfc/rfc7576.txt- additional automation of the name space. ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt:3.5. User Authentication and Accounting ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt: Originally, user authentication and accounting was mainly based on ../data/rfc/rfc7576.txt- physical connectivity and the degree of trust that follows from ../data/rfc/rfc7576.txt- direct connectivity. Network operators charged based on the setup of ../data/rfc/rfc7576.txt- dedicated physical links with users. Automated user authentication ../data/rfc/rfc7576.txt- was introduced by the Point-to-Point Protocol [RFC1661], [RFC1994] ../data/rfc/rfc7576.txt- and RADIUS protocol [RFC2865] [RFC2866] in the early 1990s. As long ../data/rfc/rfc7576.txt- as a user completes online authentication through the RADIUS ../data/rfc/rfc7576.txt: protocol, the accounting for that user starts on the corresponding ../data/rfc/rfc7576.txt: Authentication, Authorization, and Accounting (AAA) server ../data/rfc/rfc7576.txt- automatically. This mechanism enables business models with charging ../data/rfc/rfc7576.txt- based on the amount of traffic or time. However, user authentication ../data/rfc/rfc7576.txt- information continues to be manually managed by network ../data/rfc/rfc7576.txt- administrators. It also becomes complex in the case of mobile users ../data/rfc/rfc7576.txt- who roam between operators, since prior relationships between the -- ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt-RFC 7576 Autonomic Networking Gap Analysis June 2015 ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt- each device and each protocol, set up central user authentication and ../data/rfc/rfc7576.txt: accounting policies and databases, design and deploy security ../data/rfc/rfc7576.txt- mechanisms, etc. ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt- Overall, these jobs are quite complex work that cannot become fully ../data/rfc/rfc7576.txt- autonomic in the foreseeable future. However, part of these jobs may ../data/rfc/rfc7576.txt- be able to become autonomic, such as detailed device and protocol -- ../data/rfc/rfc7576.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc7576.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc7576.txt- RFC 2865, DOI 10.17487/RFC2865, June 2000, ../data/rfc/rfc7576.txt- <http://www.rfc-editor.org/info/rfc2865>. ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc7576.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc7576.txt- <http://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc7576.txt- ../data/rfc/rfc7576.txt- [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, ../data/rfc/rfc7576.txt- C., and M. Carney, "Dynamic Host Configuration Protocol -- ../data/rfc/rfc6123.txt- Manageability issues are often referred to under the collective ../data/rfc/rfc6123.txt- acronym, FCAPS [X.700], which stands for the following: ../data/rfc/rfc6123.txt- ../data/rfc/rfc6123.txt- - Fault management ../data/rfc/rfc6123.txt- - Configuration ../data/rfc/rfc6123.txt: - Accounting ../data/rfc/rfc6123.txt- - Performance ../data/rfc/rfc6123.txt- - Security ../data/rfc/rfc6123.txt- ../data/rfc/rfc6123.txt- Conventionally, Security is already covered an Internet-Draft in its ../data/rfc/rfc6123.txt- own Security Considerations section, and this document does not in -- ../data/rfc/rfc5191.txt- is to verify the credentials provided by a PANA client (PaC) and ../data/rfc/rfc5191.txt- authorize network access to the access device. The PAA and the ../data/rfc/rfc5191.txt- EAP authenticator (and optionally the EAP server) are colocated in ../data/rfc/rfc5191.txt- the same node. Note the authentication and authorization ../data/rfc/rfc5191.txt- procedure can, according to the EAP model, also be offloaded to ../data/rfc/rfc5191.txt: the back end Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5191.txt- infrastructure. ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt- -- ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt-11.8. Early Termination of a Session ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt- The PANA protocol supports the ability for both the PaC and the PAA ../data/rfc/rfc5191.txt- to transmit a tear-down message before the session lifetime expires. ../data/rfc/rfc5191.txt: This message causes state removal, a stop of the accounting procedure ../data/rfc/rfc5191.txt- and removes the installed per-PaC state on the EP(s). This message ../data/rfc/rfc5191.txt- is cryptographically protected when PANA SA is present. ../data/rfc/rfc5191.txt- ../data/rfc/rfc5191.txt-12. Acknowledgments ../data/rfc/rfc5191.txt- -- ../data/rfc/rfc4297.txt- that avoiding copies reduces CPU time spent on data access from 24% ../data/rfc/rfc4297.txt- to 15% at 370 Mbits/s for a 32 KBytes MTU using an AlphaStation ../data/rfc/rfc4297.txt- XP1000 and a Myrinet adapter [BCF+95]. This is an absolute ../data/rfc/rfc4297.txt- improvement of 9% due to copy avoidance. ../data/rfc/rfc4297.txt- ../data/rfc/rfc4297.txt: The total CPU utilization was 35%, with data access accounting for ../data/rfc/rfc4297.txt- 24%. Thus, the relative importance of reducing copies is 26%. At ../data/rfc/rfc4297.txt- 370 Mbits/s, the system is not very heavily loaded. The relative ../data/rfc/rfc4297.txt- improvement in achievable bandwidth is 34%. This is the improvement ../data/rfc/rfc4297.txt- we would see if copy avoidance were added when the machine was ../data/rfc/rfc4297.txt- saturated by network I/O. -- ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt: b) accounting mechanisms; ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- c) status exchanges and monitoring of QOS; ../data/rfc/rfc905.txt- ../data/rfc/rfc905.txt- d) blocking; ../data/rfc/rfc905.txt- -- ../data/rfc/rfc2475.txt- properties (e.g., rate) of a traffic stream ../data/rfc/rfc2475.txt- selected by a classifier. The ../data/rfc/rfc2475.txt- instantaneous state of this process may be ../data/rfc/rfc2475.txt- used to affect the operation of a marker, ../data/rfc/rfc2475.txt- shaper, or dropper, and/or may be used for ../data/rfc/rfc2475.txt: accounting and measurement purposes. ../data/rfc/rfc2475.txt- ../data/rfc/rfc2475.txt- Microflow a single instance of an application-to- ../data/rfc/rfc2475.txt- application flow of packets which is ../data/rfc/rfc2475.txt- identified by source address, source port, ../data/rfc/rfc2475.txt- destination address, destination port and -- ../data/rfc/rfc2475.txt- are available in the bucket. The concept of in- and out-of-profile ../data/rfc/rfc2475.txt- can be extended to more than two levels, e.g., multiple levels of ../data/rfc/rfc2475.txt- conformance with a profile may be defined and enforced. ../data/rfc/rfc2475.txt- ../data/rfc/rfc2475.txt- Different conditioning actions may be applied to the in-profile ../data/rfc/rfc2475.txt: packets and out-of-profile packets, or different accounting actions ../data/rfc/rfc2475.txt- may be triggered. In-profile packets may be allowed to enter the DS ../data/rfc/rfc2475.txt- domain without further conditioning; or, alternatively, their DS ../data/rfc/rfc2475.txt- codepoint may be changed. The latter happens when the DS codepoint ../data/rfc/rfc2475.txt- is set to a non-Default value for the first time [DSFIELD], or when ../data/rfc/rfc2475.txt- the packets enter a DS domain that uses a different PHB group or ../data/rfc/rfc2475.txt- codepoint->PHB mapping policy for this traffic stream. Out-of- ../data/rfc/rfc2475.txt- profile packets may be queued until they are in-profile (shaped), ../data/rfc/rfc2475.txt- discarded (policed), marked with a new codepoint (re-marked), or ../data/rfc/rfc2475.txt: forwarded unchanged while triggering some accounting procedure. ../data/rfc/rfc2475.txt- Out-of-profile packets may be mapped to one or more behavior ../data/rfc/rfc2475.txt- aggregates that are "inferior" in some dimension of forwarding ../data/rfc/rfc2475.txt- performance to the BA into which in-profile packets are mapped. ../data/rfc/rfc2475.txt- ../data/rfc/rfc2475.txt- Note that a traffic profile is an optional component of a TCA and its -- ../data/rfc/rfc694.txt- Schedule: ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- Comments: ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- The TIPs and some RSEXEC servers now are cooperating to perform ../data/rfc/rfc694.txt: TIP user authentication and accounting functions. ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- Recent developments: ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- Line Processor Protocol ../data/rfc/rfc694.txt- -- ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- EXEC (24580,) "The Executive Package" ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- This document describes a package that runs in the setting ../data/rfc/rfc694.txt- provided by PCP. It includes procedures and data stores for ../data/rfc/rfc694.txt: user identification, accounting, and usage information. ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- Pathname: [BBNB] <NLS>EXEC.TXT ../data/rfc/rfc694.txt- ../data/rfc/rfc694.txt- FILE (24582,) "The File Package" ../data/rfc/rfc694.txt- -- ../data/rfc/rfc694.txt- 1 1 Reserved ../data/rfc/rfc694.txt- 2-71 2-107 Regular Messages ../data/rfc/rfc694.txt- 72-151 110-227 Reserved ../data/rfc/rfc694.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc694.txt- 153 231 TIP Status Reporting ../data/rfc/rfc694.txt: 154 232 TIP Accounting ../data/rfc/rfc694.txt- 155-158 233-236 Internet Protocol ../data/rfc/rfc694.txt- 159-191 237-277 Measurements ../data/rfc/rfc694.txt- 192-195 300-303 Message Switching Protocol ../data/rfc/rfc694.txt- 196-255 304-255 Experimental Protocols ../data/rfc/rfc694.txt- -- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-1.2. Terminology ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- AAA ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: Authentication, Authorization, and Accounting ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- AA answer ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- AA answer generically refers to a service specific authorization and ../data/rfc/rfc4006.txt- authentication answer. AA answer commands are defined in service -- ../data/rfc/rfc4006.txt- Capabilities-Exchange-Request and Capabilities-Exchange-Answer ../data/rfc/rfc4006.txt- command [DIAMBASE]. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-2. Architecture Models ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: The current accounting models specified in the Radius Accounting ../data/rfc/rfc4006.txt- [RFC2866] and Diameter base [DIAMBASE] are not sufficient for real- ../data/rfc/rfc4006.txt- time credit-control, where credit-worthiness is to be determined ../data/rfc/rfc4006.txt- prior to service initiation. Also, the existing Diameter ../data/rfc/rfc4006.txt- authorization applications, [NASREQ] and [DIAMMIP], only provide ../data/rfc/rfc4006.txt- service authorization, but do not provide credit authorization for -- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- A service element may authenticate and authorize the end user with ../data/rfc/rfc4006.txt- the AAA server by using AAA protocols; e.g., RADIUS or a Diameter ../data/rfc/rfc4006.txt- base protocol with a possible Diameter application. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: Accounting protocols such as RADIUS accounting and the Diameter base ../data/rfc/rfc4006.txt: accounting protocol can be used to provide accounting data to the ../data/rfc/rfc4006.txt: accounting server after service is initiated, and to provide possible ../data/rfc/rfc4006.txt- interim reports until service completion. However, for real-time ../data/rfc/rfc4006.txt: credit-control, these authorization and accounting models are not ../data/rfc/rfc4006.txt- sufficient. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- When real-time credit-control is required, the credit-control client ../data/rfc/rfc4006.txt- contacts the credit-control server with information about a possible ../data/rfc/rfc4006.txt- service event. The credit-control process is performed to determine -- ../data/rfc/rfc4006.txt-Hakala, et al. Standards Track [Page 23] ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-RFC 4006 Diameter Credit-Control Application August 2005 ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: accounting protocol and the credit-control protocol can be used in ../data/rfc/rfc4006.txt- parallel. The authorization server may also determine whether the ../data/rfc/rfc4006.txt: parallel accounting stream is required. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- The following diagram illustrates the case where both protocols are ../data/rfc/rfc4006.txt- used in parallel and the service element sends credit-control ../data/rfc/rfc4006.txt- messages directly to the credit-control server. More credit-control ../data/rfc/rfc4006.txt- sequence examples are given in Annex A. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- Diameter ../data/rfc/rfc4006.txt- End User Service Element AAA Server CC Server ../data/rfc/rfc4006.txt- (CC Client) ../data/rfc/rfc4006.txt: | Registration | AA request/answer(accounting,cc or both)| ../data/rfc/rfc4006.txt- |<----------------->|<------------------>| | ../data/rfc/rfc4006.txt- | : | | | ../data/rfc/rfc4006.txt- | : | | | ../data/rfc/rfc4006.txt- | Service Request | | | ../data/rfc/rfc4006.txt- |------------------>| | | ../data/rfc/rfc4006.txt- | | CCR(Initial,Credit-Control AVPs) | ../data/rfc/rfc4006.txt- | +|---------------------------------------->| ../data/rfc/rfc4006.txt- | CC stream|| | CCA(Granted-Units)| ../data/rfc/rfc4006.txt- | +|<----------------------------------------| ../data/rfc/rfc4006.txt- | Service Delivery | | | ../data/rfc/rfc4006.txt: |<----------------->| ACR(start,Accounting AVPs) | ../data/rfc/rfc4006.txt- | : |------------------->|+ | ../data/rfc/rfc4006.txt: | : | ACA || Accounting stream | ../data/rfc/rfc4006.txt- | |<-------------------|+ | ../data/rfc/rfc4006.txt- | : | | | ../data/rfc/rfc4006.txt- | : | | | ../data/rfc/rfc4006.txt- | | CCR(Update,Used-Units) | ../data/rfc/rfc4006.txt- | |---------------------------------------->| -- ../data/rfc/rfc4006.txt-RFC 4006 Diameter Credit-Control Application August 2005 ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- The following diagram illustrates the use of ../data/rfc/rfc4006.txt- authorization/authentication messages to perform the first ../data/rfc/rfc4006.txt: interrogation. The parallel accounting stream is not shown in the ../data/rfc/rfc4006.txt- figure. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- Service Element Diameter ../data/rfc/rfc4006.txt- End User (CC Client) AAA Server CC Server ../data/rfc/rfc4006.txt- | Service Request | AA Request (CC AVPs) | -- ../data/rfc/rfc4006.txt- locally. The CCFH value received from the home AAA server overrides ../data/rfc/rfc4006.txt- the locally configured value. The CCFH value received from the ../data/rfc/rfc4006.txt- credit-control server in the Credit-Control-Answer message always ../data/rfc/rfc4006.txt- overrides any existing value. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: The authorization server MAY include the Accounting-Realtime-Required ../data/rfc/rfc4006.txt: AVP to determine what to do if the sending of accounting records to ../data/rfc/rfc4006.txt: the accounting server has been temporarily prevented, as defined in ../data/rfc/rfc4006.txt- [DIAMBASE]. It is RECOMMENDED that the client complement the ../data/rfc/rfc4006.txt: credit-control failure procedures with backup accounting flow toward ../data/rfc/rfc4006.txt: an accounting server. By using different combinations of ../data/rfc/rfc4006.txt: Accounting-Realtime-Required and Credit-Control-Failure-Handling ../data/rfc/rfc4006.txt- AVPs, different safety levels can be built. For example, by choosing ../data/rfc/rfc4006.txt- a Credit-Control-Failure-Handling AVP equal to CONTINUE for the ../data/rfc/rfc4006.txt: credit-control flow and a Accounting-Realtime-Required AVP equal to ../data/rfc/rfc4006.txt: DELIVER_AND_GRANT for the accounting flow, the service can be granted ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-Hakala, et al. Standards Track [Page 38] ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-RFC 4006 Diameter Credit-Control Application August 2005 ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- to the end user even if the connection to the credit-control server ../data/rfc/rfc4006.txt: is down, as long as the accounting server is able to collect the ../data/rfc/rfc4006.txt: accounting information and information exchange is taking place ../data/rfc/rfc4006.txt: between the accounting server and credit-control server. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- As the credit-control application is based on real-time bi- ../data/rfc/rfc4006.txt- directional communication between the credit-control client and the ../data/rfc/rfc4006.txt- credit-control server, the usage of alternative destinations and the ../data/rfc/rfc4006.txt- buffering of messages may not be sufficient in the event of -- ../data/rfc/rfc4006.txt- [NASREQ] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, ../data/rfc/rfc4006.txt- "Diameter Network Access Server Application", RFC 4005, ../data/rfc/rfc4006.txt- August 2005. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- [AAATRANS] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc4006.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- [URL] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform ../data/rfc/rfc4006.txt- Resource Locators (URL)", RFC 1738, December 1994. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- [RAD802.1X] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. -- ../data/rfc/rfc4006.txt- and identification, (release 5), 3GPP TS 23.003 v. 5.8.0, ../data/rfc/rfc4006.txt- 2003-12 ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt-15.2. Informative References ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4006.txt- ../data/rfc/rfc4006.txt- [DIAMMIP] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and ../data/rfc/rfc4006.txt- P. McCann, "Diameter Mobile IPv4 Application", RFC 4004, ../data/rfc/rfc4006.txt- August 2005. ../data/rfc/rfc4006.txt- -- ../data/rfc/rfc5607.txt-Nelson & Weber Standards Track [Page 18] ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt-RFC 5607 RADIUS NAS-Management Authorization July 2009 ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt: Accounting Messages ../data/rfc/rfc5607.txt- Request Response # Attribute ../data/rfc/rfc5607.txt- --------------------------------------------------------------------- ../data/rfc/rfc5607.txt- 0-1 0 133 Framed-Management-Protocol ../data/rfc/rfc5607.txt- 0-1 0 134 Management-Transport-Protection ../data/rfc/rfc5607.txt- 0-1 0 135 Management-Policy-Id -- ../data/rfc/rfc5607.txt-12. Security Considerations ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt-12.1. General Considerations ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- This specification describes the use of RADIUS and Diameter for ../data/rfc/rfc5607.txt: purposes of authentication, authorization, and accounting for ../data/rfc/rfc5607.txt- management access to devices within networks. RADIUS threats and ../data/rfc/rfc5607.txt- security issues for this application are described in [RFC3579] and ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- -- ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., ../data/rfc/rfc5607.txt- Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext ../data/rfc/rfc5607.txt- Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5607.txt- ../data/rfc/rfc5607.txt- [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An ../data/rfc/rfc5607.txt- Architecture for Describing Simple Network Management ../data/rfc/rfc5607.txt- Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, ../data/rfc/rfc5607.txt- December 2002. -- ../data/rfc/rfc2200.txt- 2140 - TCP Control Block Interdependence ../data/rfc/rfc2200.txt- ../data/rfc/rfc2200.txt- This is an information document and does not specify any ../data/rfc/rfc2200.txt- level of standard. ../data/rfc/rfc2200.txt- ../data/rfc/rfc2200.txt: 2139 - RADIUS Accounting ../data/rfc/rfc2200.txt- ../data/rfc/rfc2200.txt- This is an information document and does not specify any ../data/rfc/rfc2200.txt- level of standard. ../data/rfc/rfc2200.txt- ../data/rfc/rfc2200.txt- 2138 - Remote Authentication Dial In User Service (RADIUS) -- ../data/rfc/rfc6519.txt- connectivity to customers that are addressed only with an IPv6 ../data/rfc/rfc6519.txt- prefix. Dual-Stack Lite requires pre-configuration of the Dual-Stack ../data/rfc/rfc6519.txt- Lite Address Family Transition Router (AFTR) tunnel information on ../data/rfc/rfc6519.txt- the Basic Bridging BroadBand (B4) element. In many networks, the ../data/rfc/rfc6519.txt- customer profile information may be stored in Authentication, ../data/rfc/rfc6519.txt: Authorization, and Accounting (AAA) servers, while client ../data/rfc/rfc6519.txt- configurations are mainly provided through the Dynamic Host ../data/rfc/rfc6519.txt- Configuration Protocol (DHCP). This document specifies a new Remote ../data/rfc/rfc6519.txt- Authentication Dial-In User Service (RADIUS) attribute to carry the ../data/rfc/rfc6519.txt- Dual-Stack Lite AFTR tunnel name; the RADIUS attribute is defined ../data/rfc/rfc6519.txt- based on the equivalent DHCPv6 OPTION_AFTR_NAME option. This RADIUS -- ../data/rfc/rfc6519.txt- DS-Lite client (B4 element) to discover its AFTR name. In order to ../data/rfc/rfc6519.txt- be able to populate such an option, the DHCPv6 server must be ../data/rfc/rfc6519.txt- pre-provisioned with the AFTR name. ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt- In broadband environments, a customer profile may be managed by ../data/rfc/rfc6519.txt: Authentication, Authorization, and Accounting (AAA) servers, together ../data/rfc/rfc6519.txt- with AAA for users. The Remote Authentication Dial-In User Service ../data/rfc/rfc6519.txt- (RADIUS) protocol [RFC2865] is usually used by AAA servers to ../data/rfc/rfc6519.txt- communicate with network elements. [RADIUS-IPv6] describes a typical ../data/rfc/rfc6519.txt- broadband network scenario in which the Network Access Server (NAS) ../data/rfc/rfc6519.txt- acts as the access gateway for the users (hosts or Customer Premises -- ../data/rfc/rfc6519.txt- Upon receiving an AFTR tunnel name different from the currently used ../data/rfc/rfc6519.txt- one, the B4 MUST terminate the current DS-Lite tunnel, and the B4 ../data/rfc/rfc6519.txt- MUST establish a new DS-Lite tunnel with the specified AFTR. ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt- The DS-Lite-Tunnel-Name RADIUS attribute MAY be present in ../data/rfc/rfc6519.txt: Accounting-Request records where the Acct-Status-Type is set to ../data/rfc/rfc6519.txt- Start, Stop, or Interim-Update. The DS-Lite-Tunnel-Name RADIUS ../data/rfc/rfc6519.txt- attribute MUST NOT appear more than once in a message. ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt- A summary of the DS-Lite-Tunnel-Name RADIUS attribute format is shown ../data/rfc/rfc6519.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc6519.txt-5. Table of Attributes ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt- The following tables provide a guide to which attributes may be found ../data/rfc/rfc6519.txt- in which kinds of packets, and in what quantity. ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt: Access- Access- Access- Challenge Accounting # Attribute ../data/rfc/rfc6519.txt- Request Accept Reject Request ../data/rfc/rfc6519.txt- 0-1 0-1 0 0 0-1 144 DS-Lite-Tunnel-Name ../data/rfc/rfc6519.txt- ../data/rfc/rfc6519.txt- CoA-Request CoA-ACK CoA-NACK # Attribute ../data/rfc/rfc6519.txt- 0-1 0 0 144 DS-Lite-Tunnel-Name -- ../data/rfc/rfc696.txt- ../data/rfc/rfc696.txt- FACILITIES - 16 bits ../data/rfc/rfc696.txt- ../data/rfc/rfc696.txt- These bits have not yet been specifically allocated. Some will no ../data/rfc/rfc696.txt- doubt be for international services (e.g., tracing at gateways ../data/rfc/rfc696.txt: between networks, accounting, class of service). It was the ../data/rfc/rfc696.txt- feeling of WG 6.1 members that some of these bits (e.g., 8) might ../data/rfc/rfc696.txt- be allocated to the originating network (or destination network) ../data/rfc/rfc696.txt- for its own use. ../data/rfc/rfc696.txt- ../data/rfc/rfc696.txt- -- ../data/rfc/rfc2212.txt- obey the rule that over all time periods, the amount of data sent ../data/rfc/rfc2212.txt- cannot exceed M+min[pT, rT+b-M], where r and b are the token bucket ../data/rfc/rfc2212.txt- parameters, M is the maximum datagram size, and T is the length of ../data/rfc/rfc2212.txt- the time period (note that when p is infinite this reduces to the ../data/rfc/rfc2212.txt- standard token bucket requirement). For the purposes of this ../data/rfc/rfc2212.txt: accounting, links MUST count datagrams which are smaller than the ../data/rfc/rfc2212.txt- minimum policing unit to be of size m. Datagrams which arrive at an ../data/rfc/rfc2212.txt- element and cause a violation of the the M+min[pT, rT+b-M] bound are ../data/rfc/rfc2212.txt- considered non-conformant. ../data/rfc/rfc2212.txt- ../data/rfc/rfc2212.txt- At the edge of the network, traffic is policed to ensure it conforms -- ../data/rfc/rfc5592.txt- maintained by IANA). The use of the "none" authentication method is ../data/rfc/rfc5592.txt- NOT RECOMMENDED, as described in this document's Security ../data/rfc/rfc5592.txt- Considerations. Local accounts may be supported through the use of ../data/rfc/rfc5592.txt- the publickey, hostbased, or password methods. The password method ../data/rfc/rfc5592.txt- allows for integration with a deployed password infrastructure, such ../data/rfc/rfc5592.txt: as Authentication, Authorization, and Accounting (AAA) servers using ../data/rfc/rfc5592.txt- the RADIUS protocol [RFC2865]. The SSH Transport Model SHOULD be ../data/rfc/rfc5592.txt- able to take advantage of future-defined ssh-userauth methods, such ../data/rfc/rfc5592.txt- as those that might make use of X.509 certificate credentials. ../data/rfc/rfc5592.txt- ../data/rfc/rfc5592.txt- It is desirable to use mechanisms that could unify the approach for -- ../data/rfc/rfc5015.txt-RFC 5015 Bidirectional PIM October 2007 ../data/rfc/rfc5015.txt- ../data/rfc/rfc5015.txt- ../data/rfc/rfc5015.txt- specific state. Upstream forwarding can be performed using only RPA ../data/rfc/rfc5015.txt- specific state. An implementation may decide to maintain group state ../data/rfc/rfc5015.txt: for source-only branches for accounting or performance reasons. ../data/rfc/rfc5015.txt- However, doing so requires data-driven events (to discover the groups ../data/rfc/rfc5015.txt- with active sources), thus sacrificing one of the main benefits of ../data/rfc/rfc5015.txt- BIDIR-PIM. ../data/rfc/rfc5015.txt- ../data/rfc/rfc5015.txt-3.3.3. Directly Connected Sources -- ../data/rfc/rfc5559.txt- 5. Operations and Management ......................................25 ../data/rfc/rfc5559.txt- 5.1. Fault Operations and Management ...........................25 ../data/rfc/rfc5559.txt- 5.2. Configuration Operations and Management ...................26 ../data/rfc/rfc5559.txt- 5.2.1. System Options .....................................27 ../data/rfc/rfc5559.txt- 5.2.2. Parameters .........................................28 ../data/rfc/rfc5559.txt: 5.3. Accounting Operations and Management ......................30 ../data/rfc/rfc5559.txt- 5.4. Performance and Provisioning Operations and Management ....30 ../data/rfc/rfc5559.txt- 5.5. Security Operations and Management ........................31 ../data/rfc/rfc5559.txt- 6. Applicability of PCN ...........................................32 ../data/rfc/rfc5559.txt- 6.1. Benefits ..................................................32 ../data/rfc/rfc5559.txt- 6.2. Deployment Scenarios ......................................33 -- ../data/rfc/rfc5559.txt- signalling protocol. ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt-5. Operations and Management ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt- This section considers operations and management issues, under the ../data/rfc/rfc5559.txt: FCAPS headings: Faults, Configuration, Accounting, Performance, and ../data/rfc/rfc5559.txt- Security. Provisioning is discussed with performance. ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt-5.1. Fault Operations and Management ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt- Fault Operations and Management is about preventing faults, telling -- ../data/rfc/rfc5559.txt-Eardley Informational [Page 29] ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt-RFC 5559 PCN Architecture June 2009 ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt:5.3. Accounting Operations and Management ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt: Accounting is only done at trust boundaries so it is out of scope of ../data/rfc/rfc5559.txt- this document, which is confined to intra-domain issues. Use of PCN ../data/rfc/rfc5559.txt- internal to a domain makes no difference to the flow signalling ../data/rfc/rfc5559.txt- events crossing trust boundaries outside the PCN-domain, which are ../data/rfc/rfc5559.txt: typically used for accounting. ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt-5.4. Performance and Provisioning Operations and Management ../data/rfc/rfc5559.txt- ../data/rfc/rfc5559.txt- Monitoring of performance factors measurable from *outside* the PCN- ../data/rfc/rfc5559.txt- domain will be no different with PCN than with any other packet- -- ../data/rfc/rfc808.txt- personal computer will not be available to handle incoming mail ../data/rfc/rfc808.txt- all the time. Probably, personal computer users will have their ../data/rfc/rfc808.txt- mailboxes on some big brother computer (which may be dedicated to ../data/rfc/rfc808.txt- mailbox service, or be a general purpose host) and poll for their ../data/rfc/rfc808.txt- mail when they want to read it. There were some concerns raised ../data/rfc/rfc808.txt: about accountability and accounting. ../data/rfc/rfc808.txt- ../data/rfc/rfc808.txt- 6. Bob Thomas talked about the ideas for routing mail between ../data/rfc/rfc808.txt- regular mailboxes on ARPANET Hosts and mailboxes of NSW users. ../data/rfc/rfc808.txt- ../data/rfc/rfc808.txt- The main point of interest is that an NSW user is not a user of a -- ../data/rfc/rfc2708.txt- ../data/rfc/rfc2708.txt-MIB attribute | DPA job attribute |IPP Data type ../data/rfc/rfc2708.txt----------------------------+------------------------------+------------- ../data/rfc/rfc2708.txt-jobStateReasonsN(N=2, 3, 4)| job-state-reasons (note 2) | Integer ../data/rfc/rfc2708.txt-jobCodedCharSet | (note 1) | Octet String ../data/rfc/rfc2708.txt:jobAccountName | accounting-information | Octet String ../data/rfc/rfc2708.txt-jobName | job-name | Octet String ../data/rfc/rfc2708.txt-deviceNameRequested | printer-name-requested | Octet String ../data/rfc/rfc2708.txt-physicalDevice | printers-assigned | Octet String ../data/rfc/rfc2708.txt-numberOfDocuments | number-of-documents | Integer ../data/rfc/rfc2708.txt-fileName | file-name | Octet String -- ../data/rfc/rfc4005.txt- Copyright (C) The Internet Society (2005). ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-Abstract ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- This document describes the Diameter protocol application used for ../data/rfc/rfc4005.txt: Authentication, Authorization, and Accounting (AAA) services in the ../data/rfc/rfc4005.txt- Network Access Server (NAS) environment. When combined with the ../data/rfc/rfc4005.txt- Diameter Base protocol, Transport Profile, and Extensible ../data/rfc/rfc4005.txt- Authentication Protocol specifications, this application ../data/rfc/rfc4005.txt- specification satisfies typical network access services requirements. ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 14 ../data/rfc/rfc4005.txt- 3.5. Session-Termination-Request (STR) Command . . . . . . . 15 ../data/rfc/rfc4005.txt- 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 15 ../data/rfc/rfc4005.txt- 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . 16 ../data/rfc/rfc4005.txt- 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 17 ../data/rfc/rfc4005.txt: 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 17 ../data/rfc/rfc4005.txt: 3.10. Accounting-Answer (ACA) Command. . . . . . . . . . . . . 19 ../data/rfc/rfc4005.txt- 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . 20 ../data/rfc/rfc4005.txt- 4.1. Call and Session Information . . . . . . . . . . . . . . 21 ../data/rfc/rfc4005.txt- 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . 22 ../data/rfc/rfc4005.txt- 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . 22 ../data/rfc/rfc4005.txt- 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . 22 -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . 48 ../data/rfc/rfc4005.txt- 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . 49 ../data/rfc/rfc4005.txt- 7.10. Tunnel-Client-Auth-Id AVP. . . . . . . . . . . . . . . . 50 ../data/rfc/rfc4005.txt- 7.11. Tunnel-Server-Auth-Id AVP. . . . . . . . . . . . . . . . 50 ../data/rfc/rfc4005.txt: 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . 50 ../data/rfc/rfc4005.txt: 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . 51 ../data/rfc/rfc4005.txt: 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . 52 ../data/rfc/rfc4005.txt: 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . 52 ../data/rfc/rfc4005.txt: 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . 52 ../data/rfc/rfc4005.txt- 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . 52 ../data/rfc/rfc4005.txt- 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . 52 ../data/rfc/rfc4005.txt: 8.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . . 53 ../data/rfc/rfc4005.txt- 8.8. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . 53 ../data/rfc/rfc4005.txt- 8.9. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . 54 ../data/rfc/rfc4005.txt- 8.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . . 54 ../data/rfc/rfc4005.txt- 8.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . . 55 ../data/rfc/rfc4005.txt- 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . 55 -- ../data/rfc/rfc4005.txt- RADIUS VSA . . . . . . . . . . . . . . . . . . . 70 ../data/rfc/rfc4005.txt- 9.6.2. Forwarding a RADIUS VSA as a Diameter Vendor ../data/rfc/rfc4005.txt- Specific AVP . . . . . . . . . . . . . . . . . . 70 ../data/rfc/rfc4005.txt- 10. AVP Occurrence Tables. . . . . . . . . . . . . . . . . . . . . 71 ../data/rfc/rfc4005.txt- 10.1. AA-Request/Answer AVP Table. . . . . . . . . . . . . . . 71 ../data/rfc/rfc4005.txt: 10.2. Accounting AVP Tables. . . . . . . . . . . . . . . . . . 73 ../data/rfc/rfc4005.txt: 10.2.1. Accounting Framed Access AVP Table. . . . . . . 74 ../data/rfc/rfc4005.txt: 10.2.2. Accounting Non-Framed Access AVP Table. . . . . 76 ../data/rfc/rfc4005.txt- 11. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 77 ../data/rfc/rfc4005.txt- 11.1. Command Codes. . . . . . . . . . . . . . . . . . . . . . 77 ../data/rfc/rfc4005.txt- 11.2. AVP Codes. . . . . . . . . . . . . . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt- 11.3. Application Identifier . . . . . . . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt- 11.4. CHAP-Algorithm AVP Values. . . . . . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt: 11.5. Accounting-Auth-Method AVP Values. . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt- 11.6. Origin-AAA-Protocol AVP Values . . . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt- 12. Security Considerations. . . . . . . . . . . . . . . . . . . . 78 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- First, this document describes the operation of a Diameter NAS ../data/rfc/rfc4005.txt- application. Then it defines the Diameter message Command-Codes. ../data/rfc/rfc4005.txt- The following sections list the AVPs used in these messages, grouped ../data/rfc/rfc4005.txt- by common usage. These are session identification, authentication, ../data/rfc/rfc4005.txt: authorization, tunneling, and accounting. The authorization AVPs are ../data/rfc/rfc4005.txt- further broken down by service type. Interaction and backward ../data/rfc/rfc4005.txt- compatibility issues with RADIUS are discussed in later sections. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-1.1. Terminology ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- When the authentication or authorization exchange completes ../data/rfc/rfc4005.txt- successfully, the NAS application SHOULD start a session context. If ../data/rfc/rfc4005.txt- the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the ../data/rfc/rfc4005.txt- exchange continues until a success or error is returned. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: If accounting is active, the application MUST also send an Accounting ../data/rfc/rfc4005.txt: message [BASE]. An Accounting-Record-Type of START_RECORD is sent ../data/rfc/rfc4005.txt- for a new session. If a session fails to start, the EVENT_RECORD ../data/rfc/rfc4005.txt- message is sent with the reason for the failure described. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: Note that the return of an unsupportable Accounting-Realtime-Required ../data/rfc/rfc4005.txt- value [BASE] would result in a failure to establish the session. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-2.2. Diameter Session Reauthentication or Reauthorization ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Diameter Base protocol allows users to be periodically -- ../data/rfc/rfc4005.txt- indicated by the Re-Auth-Request-Type value. This will cause the NAS ../data/rfc/rfc4005.txt- to send a new AAR message using the existing Session-Id. The server ../data/rfc/rfc4005.txt- will respond with an AAA message to specify the new service ../data/rfc/rfc4005.txt- parameters. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: If accounting is active, every change of authentication or ../data/rfc/rfc4005.txt: authorization SHOULD generate an accounting message. If the NAS ../data/rfc/rfc4005.txt- service is a continuation of the prior user context, then an ../data/rfc/rfc4005.txt: Accounting-Record-Type of INTERIM_RECORD indicating the new session ../data/rfc/rfc4005.txt- attributes and cumulative status would be appropriate. If a new user ../data/rfc/rfc4005.txt- or a significant change in authorization is detected by the NAS, then ../data/rfc/rfc4005.txt- the service may send two messages of the types STOP_RECORD and ../data/rfc/rfc4005.txt: START_RECORD. Accounting may change the subsession identifiers ../data/rfc/rfc4005.txt- (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- ../data/rfc/rfc4005.txt- sessions. A service may also use a different Session-Id value for ../data/rfc/rfc4005.txt: accounting (see [BASE] section 9.6). ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- However, the Diameter Session-ID AVP value used for the initial ../data/rfc/rfc4005.txt- authorization exchange MUST be used to generate an STR message when ../data/rfc/rfc4005.txt- the session context is terminated. ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt-Calhoun, et al. Standards Track [Page 8] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: If accounting is active, an Accounting STOP_RECORD message [BASE] ../data/rfc/rfc4005.txt- MUST be sent upon termination of the session context. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- More information on Diameter Session Termination is included in ../data/rfc/rfc4005.txt- [BASE] sections 8.4 and 8.5. ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- Re-Auth-Answer RAA 258 3.4 ../data/rfc/rfc4005.txt- Session-Termination-Request STR 275 3.5 ../data/rfc/rfc4005.txt- Session-Termination-Answer STA 275 3.6 ../data/rfc/rfc4005.txt- Abort-Session-Request ASR 274 3.7 ../data/rfc/rfc4005.txt- Abort-Session-Answer ASA 274 3.8 ../data/rfc/rfc4005.txt: Accounting-Request ACR 271 3.9 ../data/rfc/rfc4005.txt: Accounting-Answer ACA 271 3.10 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-3.1. AA-Request (AAR) Command ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The AA-Request (AAR), which is indicated by setting the Command-Code ../data/rfc/rfc4005.txt- field to 265 and the 'R' bit in the Command Flags field, is used to -- ../data/rfc/rfc4005.txt- [ Redirected-Host-Usage ] ../data/rfc/rfc4005.txt- [ Redirected-Max-Cache-Time ] ../data/rfc/rfc4005.txt- * [ Proxy-Info ] ../data/rfc/rfc4005.txt- * [ AVP ] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:3.9. Accounting-Request (ACR) Command ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The ACR message [BASE] is sent by the NAS to report its session ../data/rfc/rfc4005.txt- information to a target server downstream. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- Either of Acct-Application-Id or Vendor-Specific-Application-Id AVPs ../data/rfc/rfc4005.txt- MUST be present. If the Vendor-Specific-Application-Id grouped AVP ../data/rfc/rfc4005.txt- is present, it must have an Acct-Application-Id inside. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The AVPs listed in the Base MUST be assumed to be present, as ../data/rfc/rfc4005.txt: appropriate. NAS service-specific accounting AVPs SHOULD be present ../data/rfc/rfc4005.txt- as described in section 8 and the rest of this specification. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- <AC-Request> ::= < Diameter Header: 271, REQ, PXY > ../data/rfc/rfc4005.txt- < Session-Id > ../data/rfc/rfc4005.txt- { Origin-Host } ../data/rfc/rfc4005.txt- { Origin-Realm } ../data/rfc/rfc4005.txt- { Destination-Realm } ../data/rfc/rfc4005.txt: { Accounting-Record-Type } ../data/rfc/rfc4005.txt: { Accounting-Record-Number } ../data/rfc/rfc4005.txt- [ Acct-Application-Id ] ../data/rfc/rfc4005.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc4005.txt- [ User-Name ] ../data/rfc/rfc4005.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc4005.txt- [ Acct-Session-Id ] ../data/rfc/rfc4005.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc4005.txt- [ Origin-AAA-Protocol ] ../data/rfc/rfc4005.txt- [ Origin-State-Id ] ../data/rfc/rfc4005.txt- [ Destination-Host ] -- ../data/rfc/rfc4005.txt- [ NAS-Port-Id ] ../data/rfc/rfc4005.txt- [ NAS-Port-Type ] ../data/rfc/rfc4005.txt- * [ Class ] ../data/rfc/rfc4005.txt- [ Service-Type ] ../data/rfc/rfc4005.txt- [ Termination-Cause ] ../data/rfc/rfc4005.txt: [ Accounting-Input-Octets ] ../data/rfc/rfc4005.txt: [ Accounting-Input-Packets ] ../data/rfc/rfc4005.txt: [ Accounting-Output-Octets ] ../data/rfc/rfc4005.txt: [ Accounting-Output-Packets ] ../data/rfc/rfc4005.txt- [ Acct-Authentic ] ../data/rfc/rfc4005.txt: [ Accounting-Auth-Method ] ../data/rfc/rfc4005.txt- [ Acct-Link-Count ] ../data/rfc/rfc4005.txt- [ Acct-Session-Time ] ../data/rfc/rfc4005.txt- [ Acct-Tunnel-Connection ] ../data/rfc/rfc4005.txt- [ Acct-Tunnel-Packets-Lost ] ../data/rfc/rfc4005.txt- [ Callback-Id ] -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [ Port-Limit ] ../data/rfc/rfc4005.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc4005.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc4005.txt- * [ Filter-Id ] ../data/rfc/rfc4005.txt- * [ NAS-Filter-Rule ] ../data/rfc/rfc4005.txt- * [ Qos-Filter-Rule ] ../data/rfc/rfc4005.txt- [ Framed-AppleTalk-Link ] -- ../data/rfc/rfc4005.txt- * [ Tunneling ] ../data/rfc/rfc4005.txt- * [ Proxy-Info ] ../data/rfc/rfc4005.txt- * [ Route-Record ] ../data/rfc/rfc4005.txt- * [ AVP ] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:3.10. Accounting-Answer (ACA) Command ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The ACA message [BASE] is used to acknowledge an Accounting-Request ../data/rfc/rfc4005.txt: command. The Accounting-Answer command contains the same Session-Id ../data/rfc/rfc4005.txt: as the Request. If the Accounting-Request was protected by end-to- ../data/rfc/rfc4005.txt- end security, then the corresponding ACA message MUST be protected as ../data/rfc/rfc4005.txt- well. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- Only the target Diameter Server or home Diameter Server SHOULD ../data/rfc/rfc4005.txt: respond with the Accounting-Answer command. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- Either Acct-Application-Id or Vendor-Specific-Application-Id AVPs ../data/rfc/rfc4005.txt- MUST be present, as it was in the request. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The AVPs listed in the Base MUST be assumed to be present, as ../data/rfc/rfc4005.txt: appropriate. NAS service-specific accounting AVPs SHOULD be present ../data/rfc/rfc4005.txt- as described in section 8 and the rest of this specification. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- Message Format ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- <AC-Answer> ::= < Diameter Header: 271, PXY > ../data/rfc/rfc4005.txt- < Session-Id > ../data/rfc/rfc4005.txt- { Result-Code } ../data/rfc/rfc4005.txt- { Origin-Host } ../data/rfc/rfc4005.txt- { Origin-Realm } ../data/rfc/rfc4005.txt: { Accounting-Record-Type } ../data/rfc/rfc4005.txt: { Accounting-Record-Number } ../data/rfc/rfc4005.txt- [ Acct-Application-Id ] ../data/rfc/rfc4005.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc4005.txt- [ User-Name ] ../data/rfc/rfc4005.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc4005.txt- [ Acct-Session-Id ] ../data/rfc/rfc4005.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc4005.txt- [ Event-Timestamp ] ../data/rfc/rfc4005.txt- [ Error-Message ] ../data/rfc/rfc4005.txt- [ Error-Reporting-Host ] -- ../data/rfc/rfc4005.txt- [ NAS-Port ] ../data/rfc/rfc4005.txt- [ NAS-Port-Id ] ../data/rfc/rfc4005.txt- [ NAS-Port-Type ] ../data/rfc/rfc4005.txt- [ Service-Type ] ../data/rfc/rfc4005.txt- [ Termination-Cause ] ../data/rfc/rfc4005.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc4005.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc4005.txt- * [ Class ] ../data/rfc/rfc4005.txt- * [ Proxy-Info ] ../data/rfc/rfc4005.txt- * [ Route-Record ] ../data/rfc/rfc4005.txt- * [ AVP ] -- ../data/rfc/rfc4005.txt- optional information. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- For example: "28800 V42BIS/LAPM" or "52000/31200 V90" ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- More than one Connect-Info attribute may be present in an ../data/rfc/rfc4005.txt: Accounting-Request packet to accommodate expected efforts by the ITU ../data/rfc/rfc4005.txt- to have modems report more connection information in a standard ../data/rfc/rfc4005.txt- format that might exceed 252 octets. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- If sent in the ACR STOP, this attribute may summarize statistics ../data/rfc/rfc4005.txt- relating to session quality. For example, in IEEE 802.11, the -- ../data/rfc/rfc4005.txt- initiator) or in use (in the case of a tunnel terminator). It MAY be ../data/rfc/rfc4005.txt- used in an authorization request as a hint to the server that a ../data/rfc/rfc4005.txt- specific tunnel type is desired, but the server is not required to ../data/rfc/rfc4005.txt- honor the hint in the corresponding response. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Tunnel-Type AVP SHOULD also be included in Accounting-Request ../data/rfc/rfc4005.txt- messages. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- A tunnel initiator is not required to implement any of these tunnel ../data/rfc/rfc4005.txt- types. If a tunnel initiator receives a response that contains only ../data/rfc/rfc4005.txt- unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave -- ../data/rfc/rfc4005.txt- and contains the address of the initiator end of the tunnel. It MAY ../data/rfc/rfc4005.txt- be used in an authorization request as a hint to the server that a ../data/rfc/rfc4005.txt- specific endpoint is desired, but the server is not required to honor ../data/rfc/rfc4005.txt- the hint in the corresponding response. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: This AVP SHOULD be included in the corresponding Accounting-Request ../data/rfc/rfc4005.txt- messages, in which case it indicates the address from which the ../data/rfc/rfc4005.txt- tunnel was initiated. This AVP, along with the Tunnel-Server- ../data/rfc/rfc4005.txt- Endpoint and Session-Id AVP [BASE], MAY be used to provide a globally ../data/rfc/rfc4005.txt: unique means to identify a tunnel for accounting and auditing ../data/rfc/rfc4005.txt- purposes. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- If Tunnel-Medium-Type is IPv4 (1), then this string is either the ../data/rfc/rfc4005.txt- fully qualified domain name (FQDN) of the tunnel client machine, or a ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- and contains the address of the server end of the tunnel. It MAY be ../data/rfc/rfc4005.txt- used in an authorization request as a hint to the server that a ../data/rfc/rfc4005.txt- specific endpoint is desired, but the server is not required to honor ../data/rfc/rfc4005.txt- the hint in the corresponding response. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: This AVP SHOULD be included in the corresponding Accounting-Request ../data/rfc/rfc4005.txt- messages, in which case it indicates the address from which the ../data/rfc/rfc4005.txt- tunnel was initiated. This AVP, along with the Tunnel-Client- ../data/rfc/rfc4005.txt- Endpoint and Session-Id AVP [BASE], MAY be used to provide a globally ../data/rfc/rfc4005.txt: unique means to identify a tunnel for accounting and auditing ../data/rfc/rfc4005.txt- purposes. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- If Tunnel-Medium-Type is IPv4 (1), then this string is either the ../data/rfc/rfc4005.txt- fully qualified domain name (FQDN) of the tunnel server machine, or a ../data/rfc/rfc4005.txt- "dotted-decimal" IP address. Implementations MUST support the -- ../data/rfc/rfc4005.txt- authorization response if this tunnel session is to be treated as ../data/rfc/rfc4005.txt- belonging to a particular private group. Private groups may be used ../data/rfc/rfc4005.txt- to associate a tunneled session with a particular group of users. ../data/rfc/rfc4005.txt- For example, it MAY be used to facilitate routing of unregistered IP ../data/rfc/rfc4005.txt- addresses through a particular interface. This AVP SHOULD be ../data/rfc/rfc4005.txt: included in the Accounting-Request messages that pertain to the ../data/rfc/rfc4005.txt- tunneled session. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-7.8. Tunnel-Assignment-Id AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- This attribute MAY be included in authorization responses. The ../data/rfc/rfc4005.txt- tunnel initiator receiving this attribute MAY choose to ignore it and ../data/rfc/rfc4005.txt- to assign the session to an arbitrary multiplexed or non-multiplexed ../data/rfc/rfc4005.txt- tunnel between the desired endpoints. This AVP SHOULD also be ../data/rfc/rfc4005.txt: included in the Accounting-Request messages pertaining to the ../data/rfc/rfc4005.txt- tunneled session. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it ../data/rfc/rfc4005.txt- should assign a session to a tunnel in the following manner: ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- authentication phase of tunnel establishment. It MAY be used in an ../data/rfc/rfc4005.txt- authorization request as a hint to the server that a specific ../data/rfc/rfc4005.txt- preference is desired, but the server is not required to honor the ../data/rfc/rfc4005.txt- hint in the corresponding response. This AVP MUST be present in the ../data/rfc/rfc4005.txt- authorization response if an authentication name other than the ../data/rfc/rfc4005.txt: default is desired. This AVP SHOULD be included in the Accounting- ../data/rfc/rfc4005.txt- Request messages pertaining to the tunneled session. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-7.11. Tunnel-Server-Auth-Id AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and -- ../data/rfc/rfc4005.txt- authentication phase of tunnel establishment. It MAY be used in an ../data/rfc/rfc4005.txt- authorization request as a hint to the server that a specific ../data/rfc/rfc4005.txt- preference is desired, but the server is not required to honor the ../data/rfc/rfc4005.txt- hint in the corresponding response. This AVP MUST be present in the ../data/rfc/rfc4005.txt- authorization response if an authentication name other than the ../data/rfc/rfc4005.txt: default is desired. This AVP SHOULD be included in the Accounting- ../data/rfc/rfc4005.txt- Request messages pertaining to the tunneled session. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8. NAS Accounting ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: Applications implementing this specification use Diameter Accounting, ../data/rfc/rfc4005.txt- as defined in [BASE], and the AVPs in the following section. ../data/rfc/rfc4005.txt- Service-specific AVP usage is defined in the tables in section 10. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: If accounting is active, Accounting Request (ACR) messages SHOULD be ../data/rfc/rfc4005.txt- sent after the completion of any Authentication or Authorization ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-Calhoun, et al. Standards Track [Page 50] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: transaction and at the end of a Session. The Accounting-Record-Type ../data/rfc/rfc4005.txt- value indicates the type of event. All other AVPs identify the ../data/rfc/rfc4005.txt- session and provide additional information relevant to the event. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The successful completion of the first Authentication or ../data/rfc/rfc4005.txt- Authorization transaction SHOULD cause a START_RECORD to be sent. If -- ../data/rfc/rfc4005.txt- | AVP Flag rules | ../data/rfc/rfc4005.txt- |----+-----+----+-----|----+ ../data/rfc/rfc4005.txt- AVP Section | | |SHLD| MUST| | ../data/rfc/rfc4005.txt- Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| ../data/rfc/rfc4005.txt- -----------------------------------------|----+-----+----+-----|----| ../data/rfc/rfc4005.txt: Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Input-Octets | | | | | | ../data/rfc/rfc4005.txt: Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Output-Octets | | | | | | ../data/rfc/rfc4005.txt: Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Input-Packets | | | | | | ../data/rfc/rfc4005.txt: Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Output-Packets | | | | | | ../data/rfc/rfc4005.txt- Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | ../data/rfc/rfc4005.txt- Acounting-Auth- 406 8.7 Enumerated | M | P | | V | Y | ../data/rfc/rfc4005.txt- Method | | | | | | -- ../data/rfc/rfc4005.txt- Connection | | | | | | ../data/rfc/rfc4005.txt- Acct-Tunnel- 86 8.11 Unsigned32 | M | P | | V | Y | ../data/rfc/rfc4005.txt- Packets-Lost | | | | | | ../data/rfc/rfc4005.txt- -----------------------------------------|----+-----+----+-----|----| ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8.1. Accounting-Input-Octets AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 ../data/rfc/rfc4005.txt- and contains the number of octets received from the user. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- For NAS usage, this AVP indicates how many octets have been received ../data/rfc/rfc4005.txt- from the port in the course of this session. It can only be present ../data/rfc/rfc4005.txt: in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or ../data/rfc/rfc4005.txt- STOP_RECORD. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8.2. Accounting-Output-Octets AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 ../data/rfc/rfc4005.txt- and contains the number of octets sent to the user. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- For NAS usage, this AVP indicates how many octets have been sent to ../data/rfc/rfc4005.txt- the port in the course of this session. It can only be present in ../data/rfc/rfc4005.txt: ACR messages with an Accounting-Record-Type of INTERIM_RECORD or ../data/rfc/rfc4005.txt- STOP_RECORD. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8.3. Accounting-Input-Packets AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and ../data/rfc/rfc4005.txt- contains the number of packets received from the user. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- For NAS usage, this AVP indicates how many packets have been received ../data/rfc/rfc4005.txt- from the port over the course of a session being provided to a Framed ../data/rfc/rfc4005.txt: User. It can only be present in ACR messages with an Accounting- ../data/rfc/rfc4005.txt- Record-Type of INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8.4. Accounting-Output-Packets AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 ../data/rfc/rfc4005.txt- and contains the number of IP packets sent to the user. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- For NAS usage, this AVP indicates how many packets have been sent to ../data/rfc/rfc4005.txt- the port over the course of a session being provided to a Framed ../data/rfc/rfc4005.txt: User. It can only be present in ACR messages with an Accounting- ../data/rfc/rfc4005.txt- Record-Type of INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-8.5. Acct-Session-Time AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and ../data/rfc/rfc4005.txt- indicates the length of the current session in seconds. It can only ../data/rfc/rfc4005.txt: be present in ACR messages with an Accounting-Record-Type of ../data/rfc/rfc4005.txt- INTERIM_RECORD or STOP_RECORD. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-8.6. Acct-Authentic AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and -- ../data/rfc/rfc4005.txt- 1 RADIUS ../data/rfc/rfc4005.txt- 2 Local ../data/rfc/rfc4005.txt- 3 Remote ../data/rfc/rfc4005.txt- 4 Diameter ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:8.7. Accounting-Auth-Method AVP ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. ../data/rfc/rfc4005.txt: A NAS MAY include this AVP in an Accounting-Request message to ../data/rfc/rfc4005.txt- indicate the method used to authenticate the user. (Note that this ../data/rfc/rfc4005.txt- is equivalent to the RADIUS MS-Acct-Auth-Type VSA attribute). ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The following values are defined: ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-8.8. Acct-Delay-Time ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and ../data/rfc/rfc4005.txt- indicates the number of seconds the Diameter client has been trying ../data/rfc/rfc4005.txt: to send the Accounting-Request (ACR). The accounting server may ../data/rfc/rfc4005.txt- subtract this value from the time when the ACR arrives at the server ../data/rfc/rfc4005.txt- to calculate the approximate time of the event that caused the ACR to ../data/rfc/rfc4005.txt- be generated. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- This AVP is not used for retransmissions at the transport level (TCP -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-8.9. Acct-Link-Count ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and ../data/rfc/rfc4005.txt- indicates the total number of links that have been active (current or ../data/rfc/rfc4005.txt: closed) in a given multilink session at the time the accounting ../data/rfc/rfc4005.txt: record is generated. This AVP MAY be included in Accounting-Requests ../data/rfc/rfc4005.txt- for any session that may be part of a multilink service. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The Acct-Link-Count AVP may be used to make it easier for an ../data/rfc/rfc4005.txt: accounting server to know when it has all the records for a given ../data/rfc/rfc4005.txt: multilink service. When the number of Accounting-Requests received ../data/rfc/rfc4005.txt: with Accounting-Record-Type = STOP_RECORD and with the same Acct- ../data/rfc/rfc4005.txt- Multi-Session-Id and unique Session-Ids equals the largest value of ../data/rfc/rfc4005.txt: Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD ../data/rfc/rfc4005.txt: Accounting-Requests for that multilink service have been received. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: The following example, showing eight Accounting-Requests, illustrates ../data/rfc/rfc4005.txt- how the Acct-Link-Count AVP is used. In the table below, only the ../data/rfc/rfc4005.txt- relevant AVPs are shown, although additional AVPs containing ../data/rfc/rfc4005.txt: accounting information will be present in the Accounting-Requests. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: Acct-Multi- Accounting- Acct- ../data/rfc/rfc4005.txt- Session-Id Session-Id Record-Type Link-Count ../data/rfc/rfc4005.txt- -------------------------------------------------------- ../data/rfc/rfc4005.txt- "...10" "...10" START_RECORD 1 ../data/rfc/rfc4005.txt- "...10" "...11" START_RECORD 2 ../data/rfc/rfc4005.txt- "...10" "...11" STOP_RECORD 2 -- ../data/rfc/rfc4005.txt- Translation Agent receives a RADIUS message to be translated to a ../data/rfc/rfc4005.txt- Diameter message. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- Note that RADIUS servers are assumed to be stateless. It is also ../data/rfc/rfc4005.txt- quite possible for the RADIUS messages that comprise the session ../data/rfc/rfc4005.txt: (i.e., authentication and accounting messages) to be handled by ../data/rfc/rfc4005.txt- different Translation Agents in the proxy network. Therefore, a ../data/rfc/rfc4005.txt- RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an ../data/rfc/rfc4005.txt- accurate track on session-state information. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- Diameter Tunneling Grouped AVP set. If the tunnel information ../data/rfc/rfc4005.txt- contains a Tunnel-Password attribute, the RADIUS encryption ../data/rfc/rfc4005.txt- must be resolved, and the password forwarded, by using Diameter ../data/rfc/rfc4005.txt- security methods. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: - If the RADIUS message received is an Accounting-Request, the ../data/rfc/rfc4005.txt- Acct-Status-Type attribute value must be converted to a ../data/rfc/rfc4005.txt: Accounting-Record-Type AVP value. If the Acct-Status-Type ../data/rfc/rfc4005.txt- attribute value is STOP, the local server MUST issue a ../data/rfc/rfc4005.txt- Session-Termination-Request message once the Diameter ../data/rfc/rfc4005.txt: Accounting-Answer message has been received. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: - If the Accounting message contains an Acct-Termination-Cause ../data/rfc/rfc4005.txt- attribute, it should be translated to the equivalent ../data/rfc/rfc4005.txt- Termination-Cause AVP value. (see below) ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: - If the RADIUS message contains the Accounting-Input-Octets, ../data/rfc/rfc4005.txt: Accounting-Input-Packets, Accounting-Output-Octets, or ../data/rfc/rfc4005.txt: Accounting-Output-Packets, these attributes must be converted ../data/rfc/rfc4005.txt- to the Diameter equivalents. Further, if the Acct-Input- ../data/rfc/rfc4005.txt- Gigawords or Acct-Output-Gigawords attributes are present, ../data/rfc/rfc4005.txt: these must be used to properly compute the Diameter accounting ../data/rfc/rfc4005.txt- AVPs. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The corresponding Diameter response is always guaranteed to be ../data/rfc/rfc4005.txt- received by the same Translation Agent that translated the original ../data/rfc/rfc4005.txt- request, due to the contents of the Proxy-Info AVP group in the -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- - If the Command-Code is set to AA-Answer, the Diameter Session- ../data/rfc/rfc4005.txt- Id AVP is saved in a new RADIUS Class attribute whose format ../data/rfc/rfc4005.txt- consists of the string "Diameter/" followed by the Diameter ../data/rfc/rfc4005.txt- Session Identifier. This will ensure that the subsequent ../data/rfc/rfc4005.txt: Accounting messages, which could be received by any Translation ../data/rfc/rfc4005.txt- Agent, would have access to the original Diameter Session ../data/rfc/rfc4005.txt- Identifier. ../data/rfc/rfc4005.txt- - If a Proxy-State attribute was present in the RADIUS request, ../data/rfc/rfc4005.txt- the same attribute is added in the response. This information ../data/rfc/rfc4005.txt- may be found in the Proxy-Info AVP group, or in a local state -- ../data/rfc/rfc4005.txt- true for any other RADIUS-encrypted attribute values. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- - AVPs of the type Address must be translated to the ../data/rfc/rfc4005.txt- corresponding RADIUS attribute. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: - If the Accounting-Input-Octets, Accounting-Input-Packets, ../data/rfc/rfc4005.txt: Accounting-Output-Octets, or Accounting-Output-Packets AVPs are ../data/rfc/rfc4005.txt- present, they must be translated to the corresponding RADIUS ../data/rfc/rfc4005.txt- attributes. If the value of the Diameter AVPs do not fit ../data/rfc/rfc4005.txt- within a 32-bit RADIUS attribute, the RADIUS Acct-Input- ../data/rfc/rfc4005.txt- Gigawords and Acct-Output-Gigawords must be used. ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- Attribute Description Defined Nearest Diameter AVP ../data/rfc/rfc4005.txt- ----------------------------------------------------------------- ../data/rfc/rfc4005.txt- 3 CHAP-Password RFC 2865 CHAP-Auth Group ../data/rfc/rfc4005.txt- 26 Vendor-Specific RFC 2865 Vendor Specific AVP ../data/rfc/rfc4005.txt- 29 Termination-Action RFC 2865 Authorization-Lifetime ../data/rfc/rfc4005.txt: 40 Acct-Status-Type RFC 2866 Accounting-Record-Type ../data/rfc/rfc4005.txt: 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets ../data/rfc/rfc4005.txt: 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets ../data/rfc/rfc4005.txt: 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets ../data/rfc/rfc4005.txt: 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets ../data/rfc/rfc4005.txt- 49 Acct-Terminate-Cause RFC 2866 Termination-Cause ../data/rfc/rfc4005.txt: 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets ../data/rfc/rfc4005.txt: 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets ../data/rfc/rfc4005.txt- 80 Message-Authenticator RFC 2869 none - check and discard ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-9.5. Translatable Diameter AVPs ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- In general, Diameter AVPs that are not RADIUS compatible have code -- ../data/rfc/rfc4005.txt- Tunneling | 0+ | 0+ | ../data/rfc/rfc4005.txt- User-Name | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- User-Password | 0-1 | 0 | ../data/rfc/rfc4005.txt- ------------------------------|-----+-----+ ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:10.2. Accounting AVP Tables ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The tables in this section are used to show which AVPs defined in ../data/rfc/rfc4005.txt- this document are to be present and used in NAS application ../data/rfc/rfc4005.txt: Accounting messages. These AVPs are defined in this document, as ../data/rfc/rfc4005.txt- well as in [BASE] and [RADIUSAcct]. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt-Calhoun, et al. Standards Track [Page 73] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:10.2.1. Accounting Framed Access AVP Table ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The table in this section is used when the Service-Type specifies ../data/rfc/rfc4005.txt- Framed Access. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- +-----------+ ../data/rfc/rfc4005.txt- | Command | ../data/rfc/rfc4005.txt- |-----+-----+ ../data/rfc/rfc4005.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc4005.txt- ---------------------------------------|-----+-----+ ../data/rfc/rfc4005.txt: Accounting-Auth-Method | 0-1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Input-Octets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Input-Packets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Output-Octets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Output-Packets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Record-Number | 0-1 | 0-1 | ../data/rfc/rfc4005.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc4005.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc4005.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Session-Id | 1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Authentic | 1 | 0 | ../data/rfc/rfc4005.txt- Acct-Delay-Time | 0-1 | 0 | -- ../data/rfc/rfc4005.txt-Calhoun, et al. Standards Track [Page 75] ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-RFC 4005 Diameter Network Access Server Application August 2005 ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:10.2.2. Accounting Non-Framed Access AVP Table ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- The table in this section is used when the Service-Type specifies ../data/rfc/rfc4005.txt- Non-Framed Access. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- +-----------+ ../data/rfc/rfc4005.txt- | Command | ../data/rfc/rfc4005.txt- |-----+-----+ ../data/rfc/rfc4005.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc4005.txt- ---------------------------------------|-----+-----+ ../data/rfc/rfc4005.txt: Accounting-Auth-Method | 0-1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Input-Octets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Output-Octets | 1 | 0 | ../data/rfc/rfc4005.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc4005.txt: Accounting-Record-Number | 0-1 | 0-1 | ../data/rfc/rfc4005.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc4005.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Session-Id | 1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc4005.txt- Acct-Authentic | 1 | 0 | ../data/rfc/rfc4005.txt- Acct-Delay-Time | 0-1 | 0 | -- ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- As defined in section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses ../data/rfc/rfc4005.txt- the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined ../data/rfc/rfc4005.txt- in [PPPCHAP]. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt:11.5. Accounting-Auth-Method AVP Values ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: As defined in section 8.6, the Accounting-Auth-Method AVP (AVP Code ../data/rfc/rfc4005.txt- 406) defines the values 1 - 5. All remaining values are available ../data/rfc/rfc4005.txt- for assignment via IETF Consensus [IANA]. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-11.6. Origin-AAA-Protocol AVP Values ../data/rfc/rfc4005.txt- -- ../data/rfc/rfc4005.txt- [BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and ../data/rfc/rfc4005.txt- J. Arkko, "Diameter Base Protocol", RFC 3588, ../data/rfc/rfc4005.txt- September 2003. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [DiamTrans] Aboba, B. and J. Wood, "Authentication, Authorization ../data/rfc/rfc4005.txt: and Accounting (AAA) Transport Profile", RFC 3539, ../data/rfc/rfc4005.txt- June 2003. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [RADIUS] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4005.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc4005.txt- RFC 2865, June 2000. -- ../data/rfc/rfc4005.txt- <http://www.nanpa.com/number_resource_info/ ../data/rfc/rfc4005.txt- ani_ii_assignments.html> ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt-13.2. Informative References ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: [RADIUSAcct] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [RADIUSExt] Rigney, C., Willats, W., and P. Calhoun, "RADIUS ../data/rfc/rfc4005.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [RADTunnels] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc4005.txt- Holdrege, M., and I. Goyret, "RADIUS Attributes for ../data/rfc/rfc4005.txt- Tunnel Protocol Support", RFC 2868, June 2000. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt: [RADTunlAcct] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting ../data/rfc/rfc4005.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc4005.txt- June 2000. ../data/rfc/rfc4005.txt- ../data/rfc/rfc4005.txt- [RADDynAuth] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. ../data/rfc/rfc4005.txt- Aboba, "Dynamic Authorization Extensions to Remote -- ../data/rfc/rfc2837.txt- The Status Group ............................................16 ../data/rfc/rfc2837.txt- The FxPort Status Table ...................................16 ../data/rfc/rfc2837.txt- The FxPort Physical Level Table ...........................18 ../data/rfc/rfc2837.txt- The FxPort Fabric Login Table .............................20 ../data/rfc/rfc2837.txt- The Error Group .............................................24 ../data/rfc/rfc2837.txt: The Accounting Groups........................................27 ../data/rfc/rfc2837.txt: The Class 1 Accounting Table ..............................27 ../data/rfc/rfc2837.txt: The Class 2 Accounting Table ..............................31 ../data/rfc/rfc2837.txt: The Class 3 Accounting Table ..............................33 ../data/rfc/rfc2837.txt- The Capability Group ........................................35 ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt-Teow Standards Track [Page 1] -- ../data/rfc/rfc2837.txt- with its managed objects. The managed objects are divided as follow: ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- - the Configuration group ../data/rfc/rfc2837.txt- - the Status group ../data/rfc/rfc2837.txt- - the Error group ../data/rfc/rfc2837.txt: - the Accounting group ../data/rfc/rfc2837.txt- - the Capability group ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- In each group, scalar objects and table entries are defined. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- The Configuration group contains configuration and service parameters -- ../data/rfc/rfc2837.txt-Teow Standards Track [Page 5] ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt-RFC 2837 FC Fabric Element MIB May 2000 ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: The Accounting group contains statistic data suitable for deriving ../data/rfc/rfc2837.txt: accounting and performance information. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- The Capability group contains parameters indicating the inherent ../data/rfc/rfc2837.txt- capability of the Fabric Element and each FxPort. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt-3. Object Definitions -- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFeConfig OBJECT IDENTIFIER ::= { fcFeMIBObjects 1 } ../data/rfc/rfc2837.txt- fcFeStatus OBJECT IDENTIFIER ::= { fcFeMIBObjects 2 } ../data/rfc/rfc2837.txt- fcFeError OBJECT IDENTIFIER ::= { fcFeMIBObjects 3 } ../data/rfc/rfc2837.txt: fcFeAccounting OBJECT IDENTIFIER ::= { fcFeMIBObjects 4 } ../data/rfc/rfc2837.txt- fcFeCapabilities OBJECT IDENTIFIER ::= { fcFeMIBObjects 5 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- -- Textual Conventions ../data/rfc/rfc2837.txt- MilliSeconds ::= TEXTUAL-CONVENTION ../data/rfc/rfc2837.txt- STATUS current -- ../data/rfc/rfc2837.txt- "The number of Offline Sequence issued by this FxPort." ../data/rfc/rfc2837.txt- ::= { fcFxPortErrorEntry 12 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: -- Accounting Groups: ../data/rfc/rfc2837.txt: -- (1) Class 1 Accounting Group, ../data/rfc/rfc2837.txt: -- (2) Class 2 Accounting Group, and ../data/rfc/rfc2837.txt: -- (3) Class 3 Accounting Group. ../data/rfc/rfc2837.txt: -- Each group consists of a table that contains accounting ../data/rfc/rfc2837.txt- -- information for the FxPorts in the Fabric Element. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: -- the Class 1 Accounting table ../data/rfc/rfc2837.txt- -- This table contains, one entry for each FxPort in the Fabric ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt-Teow Standards Track [Page 27] -- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- -- Element, Counter32s for certain types of events occurred in the ../data/rfc/rfc2837.txt- -- the FxPorts since the the management agent has re-initialized. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC1AccountingTable OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX SEQUENCE OF FcFxPortC1AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A table that contains, one entry for each FxPort in the ../data/rfc/rfc2837.txt: Fabric Element, Class 1 accounting information recorded ../data/rfc/rfc2837.txt- since the management agent has re-initialized." ../data/rfc/rfc2837.txt: ::= { fcFeAccounting 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC1AccountingEntry OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX FcFxPortC1AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt: "An entry containing Class 1 accounting information for each ../data/rfc/rfc2837.txt- FxPort." ../data/rfc/rfc2837.txt- AUGMENTS { fcFxPortEntry } ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingTable 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: FcFxPortC1AccountingEntry ::= ../data/rfc/rfc2837.txt- SEQUENCE { ../data/rfc/rfc2837.txt- fcFxPortC1InFrames ../data/rfc/rfc2837.txt- Counter32, ../data/rfc/rfc2837.txt- fcFxPortC1OutFrames ../data/rfc/rfc2837.txt- Counter32, -- ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 frames (other than Class 1 connect- ../data/rfc/rfc2837.txt- request) received by this FxPort from its attached NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1OutFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 frames (other than Class 1 connect- ../data/rfc/rfc2837.txt- request) delivered through this FxPort to its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 2 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1InOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, received by this FxPort from its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 3 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1OutOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, delivered through this FxPort its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 4 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1Discards OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 frames discarded by this FxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 5 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1FbsyFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- -- ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of F_BSY frames generated by this FxPort against ../data/rfc/rfc2837.txt- Class 1 connect-request." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 6 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1FrjtFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of F_RJT frames generated by this FxPort against ../data/rfc/rfc2837.txt- Class 1 connect-request." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 7 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1InConnections OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 connections successfully established ../data/rfc/rfc2837.txt- in which the attached NxPort is the source of the connect- ../data/rfc/rfc2837.txt- request." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 8 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1OutConnections OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 1 connections successfully established ../data/rfc/rfc2837.txt- in which the attached NxPort is the destination of the ../data/rfc/rfc2837.txt- connect-request." ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 9 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC1ConnTime OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX MilliSeconds ../data/rfc/rfc2837.txt- UNITS "milliseconds" ../data/rfc/rfc2837.txt- MAX-ACCESS read-only -- ../data/rfc/rfc2837.txt-Teow Standards Track [Page 30] ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt-RFC 2837 FC Fabric Element MIB May 2000 ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: ::= { fcFxPortC1AccountingEntry 10 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: -- the Class 2 Accounting table ../data/rfc/rfc2837.txt- -- This table contains, one entry for each FxPort in the Fabric ../data/rfc/rfc2837.txt- -- Element, Counter32s for certain types of events occurred in the ../data/rfc/rfc2837.txt- -- the FxPorts since the the management agent has re-initialized. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC2AccountingTable OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX SEQUENCE OF FcFxPortC2AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A table that contains, one entry for each FxPort in the ../data/rfc/rfc2837.txt: Fabric Element, Class 2 accounting information recorded ../data/rfc/rfc2837.txt- since the management agent has re-initialized." ../data/rfc/rfc2837.txt: ::= { fcFeAccounting 2 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC2AccountingEntry OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX FcFxPortC2AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt: "An entry containing Class 2 accounting information for each ../data/rfc/rfc2837.txt- FxPort." ../data/rfc/rfc2837.txt- AUGMENTS { fcFxPortEntry } ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingTable 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: FcFxPortC2AccountingEntry ::= ../data/rfc/rfc2837.txt- SEQUENCE { ../data/rfc/rfc2837.txt- fcFxPortC2InFrames ../data/rfc/rfc2837.txt- Counter32, ../data/rfc/rfc2837.txt- fcFxPortC2OutFrames ../data/rfc/rfc2837.txt- Counter32, -- ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 2 frames received by this FxPort from ../data/rfc/rfc2837.txt- its attached NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2OutFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 2 frames delivered through this FxPort ../data/rfc/rfc2837.txt- to its attached NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 2 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2InOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 2 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, received by this FxPort from its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 3 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2OutOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 2 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, delivered through this FxPort to its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 4 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2Discards OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 2 frames discarded by this FxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 5 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2FbsyFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- -- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of F_BSY frames generated by this FxPort against ../data/rfc/rfc2837.txt- Class 2 frames." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 6 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC2FrjtFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of F_RJT frames generated by this FxPort against ../data/rfc/rfc2837.txt- Class 2 frames." ../data/rfc/rfc2837.txt: ::= { fcFxPortC2AccountingEntry 7 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: -- the Class 3 Accounting Group ../data/rfc/rfc2837.txt- -- This table contains, one entry for each FxPort in the Fabric ../data/rfc/rfc2837.txt- -- Element, Counter32s for certain types of events occurred in the ../data/rfc/rfc2837.txt- -- the FxPorts since the management agent has re-initialized. ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC3AccountingTable OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX SEQUENCE OF FcFxPortC3AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A table that contains, one entry for each FxPort in the ../data/rfc/rfc2837.txt: Fabric Element, Class 3 accounting information recorded ../data/rfc/rfc2837.txt- since the management agent has re-initialized." ../data/rfc/rfc2837.txt: ::= { fcFeAccounting 3 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFxPortC3AccountingEntry OBJECT-TYPE ../data/rfc/rfc2837.txt: SYNTAX FcFxPortC3AccountingEntry ../data/rfc/rfc2837.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt: "An entry containing Class 3 accounting information for each ../data/rfc/rfc2837.txt- FxPort." ../data/rfc/rfc2837.txt- AUGMENTS { fcFxPortEntry } ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingTable 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: FcFxPortC3AccountingEntry ::= ../data/rfc/rfc2837.txt- SEQUENCE { ../data/rfc/rfc2837.txt- fcFxPortC3InFrames ../data/rfc/rfc2837.txt- Counter32, ../data/rfc/rfc2837.txt- fcFxPortC3OutFrames ../data/rfc/rfc2837.txt- Counter32, -- ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 3 frames received by this FxPort from ../data/rfc/rfc2837.txt- its attached NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingEntry 1 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC3OutFrames OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 3 frames delivered through this FxPort ../data/rfc/rfc2837.txt- to its attached NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingEntry 2 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC3InOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 3 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, received by this FxPort from its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingEntry 3 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC3OutOctets OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 3 frame octets, including the frame ../data/rfc/rfc2837.txt- delimiters, delivered through this FxPort to its attached ../data/rfc/rfc2837.txt- NxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingEntry 4 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- fcFxPortC3Discards OBJECT-TYPE ../data/rfc/rfc2837.txt- SYNTAX Counter32 ../data/rfc/rfc2837.txt- MAX-ACCESS read-only ../data/rfc/rfc2837.txt- -- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- STATUS current ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "The number of Class 3 frames discarded by this FxPort." ../data/rfc/rfc2837.txt: ::= { fcFxPortC3AccountingEntry 5 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- -- The Capability Group - consists of a table describing ../data/rfc/rfc2837.txt- -- information about what each FxPort is inherently capable ../data/rfc/rfc2837.txt- -- of operating or supporting. -- ../data/rfc/rfc2837.txt- which implement the FIBRE-CHANNEL-FE-MIB." ../data/rfc/rfc2837.txt- MODULE -- this module ../data/rfc/rfc2837.txt- MANDATORY-GROUPS { fcFeConfigGroup, fcFeStatusGroup, ../data/rfc/rfc2837.txt- fcFeErrorGroup, fcFeCapabilitiesGroup } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: GROUP fcFeClass1AccountingGroup ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "This group is mandatory for all fibre channel fabric ../data/rfc/rfc2837.txt- elements which support class 1 frames." ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: GROUP fcFeClass2AccountingGroup ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "This group is mandatory for all fibre channel fabric ../data/rfc/rfc2837.txt- elements which support class 2 frames." ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: GROUP fcFeClass3AccountingGroup ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "This group is mandatory for all fibre channel fabric ../data/rfc/rfc2837.txt- elements which support class 3 frames." ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt- OBJECT fcFeFabricName -- ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A collection of objects providing various error ../data/rfc/rfc2837.txt- statistics detected by the FxPorts." ../data/rfc/rfc2837.txt- ::= { fcFeMIBGroups 3 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFeClass1AccountingGroup OBJECT-GROUP ../data/rfc/rfc2837.txt- OBJECTS { fcFxPortC1InFrames, fcFxPortC1OutFrames, ../data/rfc/rfc2837.txt- fcFxPortC1InOctets, fcFxPortC1OutOctets, ../data/rfc/rfc2837.txt- fcFxPortC1Discards, fcFxPortC1FbsyFrames, ../data/rfc/rfc2837.txt- fcFxPortC1FrjtFrames, fcFxPortC1InConnections, ../data/rfc/rfc2837.txt- fcFxPortC1OutConnections, fcFxPortC1ConnTime -- ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A collection of objects providing various class 1 ../data/rfc/rfc2837.txt- performance statistics detected by the FxPorts." ../data/rfc/rfc2837.txt- ::= { fcFeMIBGroups 4 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFeClass2AccountingGroup OBJECT-GROUP ../data/rfc/rfc2837.txt- OBJECTS { fcFxPortC2InFrames, fcFxPortC2OutFrames, ../data/rfc/rfc2837.txt- fcFxPortC2InOctets, fcFxPortC2OutOctets, ../data/rfc/rfc2837.txt- fcFxPortC2Discards, fcFxPortC2FbsyFrames, ../data/rfc/rfc2837.txt- fcFxPortC2FrjtFrames ../data/rfc/rfc2837.txt- } -- ../data/rfc/rfc2837.txt- DESCRIPTION ../data/rfc/rfc2837.txt- "A collection of objects providing various class 2 ../data/rfc/rfc2837.txt- performance statistics detected by the FxPorts." ../data/rfc/rfc2837.txt- ::= { fcFeMIBGroups 5 } ../data/rfc/rfc2837.txt- ../data/rfc/rfc2837.txt: fcFeClass3AccountingGroup OBJECT-GROUP ../data/rfc/rfc2837.txt- OBJECTS { fcFxPortC3InFrames, fcFxPortC3OutFrames, ../data/rfc/rfc2837.txt- fcFxPortC3InOctets, fcFxPortC3OutOctets, ../data/rfc/rfc2837.txt- fcFxPortC3Discards ../data/rfc/rfc2837.txt- } ../data/rfc/rfc2837.txt- -- ../data/rfc/rfc3869.txt- ../data/rfc/rfc3869.txt- Included in this topic are a wide variety of issues. The more ../data/rfc/rfc3869.txt- distributed and dynamic nature of partially or completely self- ../data/rfc/rfc3869.txt- organizing routing systems (including the associated end nodes) ../data/rfc/rfc3869.txt- creates unique security challenges (especially relating to ../data/rfc/rfc3869.txt: Authorization, Authentication, and Accounting, and relating to key ../data/rfc/rfc3869.txt- management). Scalability of wireless networks can be difficult to ../data/rfc/rfc3869.txt- measure or to achieve. Enforced hierarchy is one approach, but can ../data/rfc/rfc3869.txt- be very limiting. Alternative, less constraining approaches to ../data/rfc/rfc3869.txt- wireless scalability are desired. Because wireless link-layer ../data/rfc/rfc3869.txt- protocols usually have some knowledge of current link characteristics -- ../data/rfc/rfc437.txt- 'ARPA'. ../data/rfc/rfc437.txt- ../data/rfc/rfc437.txt- 'LOGOUT' <CA> ../data/rfc/rfc437.txt- ../data/rfc/rfc437.txt- Logs the user out and disables job-oriented commands and billing of ../data/rfc/rfc437.txt: subsequent activity to the previously specified accounting ../data/rfc/rfc437.txt- parameters. As with 'DISCONNECT', any jobs the terminal has active ../data/rfc/rfc437.txt- are purged. ../data/rfc/rfc437.txt- ../data/rfc/rfc437.txt- 'MONITOR' (<tty list>|<CA>) <CA> ../data/rfc/rfc437.txt- -- ../data/rfc/rfc3457.txt- Until recently, remote access has typically been characterized by ../data/rfc/rfc3457.txt- dial-up users accessing the target network via the Public Switched ../data/rfc/rfc3457.txt- Telephone Network (PSTN), with the dial-up connection terminating at ../data/rfc/rfc3457.txt- a Network Access Server (NAS) within the target domain. The ../data/rfc/rfc3457.txt- protocols facilitating this have usually been PPP-based, and access ../data/rfc/rfc3457.txt: control, authorization, and accounting functions have typically been ../data/rfc/rfc3457.txt- provided using one or more of a number of available mechanisms, ../data/rfc/rfc3457.txt- including RADIUS [RADIUS]. ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- -- ../data/rfc/rfc3457.txt-2.1.5 Compatibility With Legacy Remote Access Mechanisms ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- There are a number of currently deployed remote access mechanisms ../data/rfc/rfc3457.txt- which were installed prior to the deployment of IPsec. Typically, ../data/rfc/rfc3457.txt- these are dialup systems which rely upon RADIUS for user ../data/rfc/rfc3457.txt: authentication and accounting, but there are other mechanisms as ../data/rfc/rfc3457.txt- well. An ideal IPsec remote access solution might utilize the ../data/rfc/rfc3457.txt- components of the underlying framework without modification. ../data/rfc/rfc3457.txt- Inasmuch as this is possible, this should be a goal. However, there ../data/rfc/rfc3457.txt- may be cases where this simply cannot be accomplished, due to ../data/rfc/rfc3457.txt- security and/or other considerations. In such cases, the IPsec -- ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- In general, proposed IPsec remote access mechanisms should meet the ../data/rfc/rfc3457.txt- following goals: ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- o should provide direct support for legacy user authentication ../data/rfc/rfc3457.txt: and accounting systems such as RADIUS ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt- ../data/rfc/rfc3457.txt-Kelly & Ramamoorthi Informational [Page 9] ../data/rfc/rfc3457.txt- -- ../data/rfc/rfc3004.txt-1. Introduction ../data/rfc/rfc3004.txt- ../data/rfc/rfc3004.txt- DHCP administrators may define specific user class identifiers to ../data/rfc/rfc3004.txt- convey information about a client's software configuration or about ../data/rfc/rfc3004.txt- its user's preferences. For example, the User Class option can be ../data/rfc/rfc3004.txt: used to configure all clients of people in the accounting department ../data/rfc/rfc3004.txt- with a different printer than clients of people in the marketing ../data/rfc/rfc3004.txt- department. ../data/rfc/rfc3004.txt- ../data/rfc/rfc3004.txt- ../data/rfc/rfc3004.txt- -- ../data/rfc/rfc2795.txt-Table of Contents ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 ../data/rfc/rfc2795.txt- 2. Objects In The Suite . . . . . . . . . . . . . . . . . . . 2 ../data/rfc/rfc2795.txt- 3. IMPS Packet Structure . . . . . . . . . . . . . . . . . . 4 ../data/rfc/rfc2795.txt: 4. Infinite Threshold Accounting Gadget (I-TAG) Encoding . . 5 ../data/rfc/rfc2795.txt- 5. KEEPER Specification . . . . . . . . . . . . . . . . . . . 6 ../data/rfc/rfc2795.txt- 5.1 KEEPER Message Request Codes (ZOO-to-SIMIAN) . . . . . . 7 ../data/rfc/rfc2795.txt- 5.2 KEEPER Message Response Codes (SIMIAN-to-ZOO) . . . . . 8 ../data/rfc/rfc2795.txt- 5.3 Requirements for KEEPER Request and Response Codes . . . 8 ../data/rfc/rfc2795.txt- 5.4 Example ZOO-to-SIMIAN Exchanges using KEEPER . . . . . . 9 -- ../data/rfc/rfc2795.txt-Christey Informational [Page 4] ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt-RFC 2795 The Infinite Monkey Protocol Suite (IMPS) 1 April 2000 ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt:4. Infinite Threshold Accounting Gadget (I-TAG) Encoding ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt- Each SIMIAN requires a unique identifier within IMPS. This section ../data/rfc/rfc2795.txt- describes design considerations for the IMPS identifier, referred to ../data/rfc/rfc2795.txt: as an Infinite Threshold Accounting Gadget (I-TAG). The I-TAG can ../data/rfc/rfc2795.txt- represent numbers of any size. ../data/rfc/rfc2795.txt- ../data/rfc/rfc2795.txt- To uniquely identify each SIMIAN, a system is required that is ../data/rfc/rfc2795.txt- capable of representing an infinite number of identifiers. The set ../data/rfc/rfc2795.txt- of all integers can be used as a compact representation. However, -- ../data/rfc/rfc2835.txt-Pittet Standards Track [Page 10] ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt-RFC 2835 IP and ARP over HIPPI-6400 (GSN) May 2000 ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt: For HIPPI-6400 the byte accounting is: ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt- HIPPI-6400-PH Header 16 bytes ../data/rfc/rfc2835.txt- IEEE 802.2 LLC/SNAP Headers 8 bytes ../data/rfc/rfc2835.txt- Maximum IP packet size (MTU) 65280 bytes ../data/rfc/rfc2835.txt- Unused expansion room 232 bytes ../data/rfc/rfc2835.txt- ------------ ../data/rfc/rfc2835.txt- Total 65536 bytes (64K) ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt: In contrast, the HIPPI-800 accounting is: ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt- HIPPI-800-FP Header 8 bytes ../data/rfc/rfc2835.txt- HIPPI-800-LE Header 24 bytes ../data/rfc/rfc2835.txt- IEEE 802.2 LLC/SNAP Headers 8 bytes ../data/rfc/rfc2835.txt- Unused expansion room 216 bytes -- ../data/rfc/rfc2835.txt- ports, the upper bound on the bandwidth that such a service can ../data/rfc/rfc2835.txt- broadcast is: ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt- (total bandwidth)/(n+1) ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt: since each message must first enter the broadcast server, accounting ../data/rfc/rfc2835.txt- for the additional 1, and then be sent to all n ports. The broadcast ../data/rfc/rfc2835.txt- server could forward the message destined to the port on which it ../data/rfc/rfc2835.txt- runs internally, thus reducing (n+1) to (n) in a first optimization. ../data/rfc/rfc2835.txt- ../data/rfc/rfc2835.txt- This service is adequate for the standard networking protocols such -- ../data/rfc/rfc6988.txt- o evaluating the effectiveness of energy-saving policies and ../data/rfc/rfc6988.txt- measures ../data/rfc/rfc6988.txt- ../data/rfc/rfc6988.txt- o deriving, implementing, and testing power management strategies ../data/rfc/rfc6988.txt- ../data/rfc/rfc6988.txt: o accounting for the total power received and provided by an entity, ../data/rfc/rfc6988.txt- a network, or a service ../data/rfc/rfc6988.txt- ../data/rfc/rfc6988.txt- o predicting an entity's reliability based on power usage ../data/rfc/rfc6988.txt- ../data/rfc/rfc6988.txt- o choosing the time of the next maintenance cycle for an entity -- ../data/rfc/rfc6988.txt- just the received and provided energy; therefore, monitored data ../data/rfc/rfc6988.txt- requires protection. This protection includes authentication and ../data/rfc/rfc6988.txt- authorization of entities requesting access to monitored data as well ../data/rfc/rfc6988.txt- as confidentiality protection during transmission of monitored data. ../data/rfc/rfc6988.txt- Privacy of stored data in an entity must be taken into account. ../data/rfc/rfc6988.txt: Monitored data may be used as input to control, accounting, and other ../data/rfc/rfc6988.txt- actions, so integrity of transmitted information and authentication ../data/rfc/rfc6988.txt- of the origin may be needed. ../data/rfc/rfc6988.txt- ../data/rfc/rfc6988.txt-9.1. Secure Energy Management ../data/rfc/rfc6988.txt- -- ../data/rfc/rfc5866.txt- 6. QoS Application State Machine . . . . . . . . . . . . . . . . 34 ../data/rfc/rfc5866.txt- 6.1. Supplemented States for Push Mode . . . . . . . . . . . . 34 ../data/rfc/rfc5866.txt- 7. QoS Application AVPs . . . . . . . . . . . . . . . . . . . . . 35 ../data/rfc/rfc5866.txt- 7.1. Reused Base Protocol AVPs . . . . . . . . . . . . . . . . 36 ../data/rfc/rfc5866.txt- 7.2. QoS Application-Defined AVPs . . . . . . . . . . . . . . . 36 ../data/rfc/rfc5866.txt: 8. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 37 ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- -- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- The following terms are used in this document: ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- AAA Cloud ../data/rfc/rfc5866.txt: An infrastructure of Authentication, Authorization, and Accounting ../data/rfc/rfc5866.txt- (AAA) entities (clients, agents, servers) communicating via a AAA ../data/rfc/rfc5866.txt- protocol over trusted, secure connections. It offers ../data/rfc/rfc5866.txt: authentication, authorization, and accounting services to ../data/rfc/rfc5866.txt- applications in local and roaming scenarios. Diameter and RADIUS ../data/rfc/rfc5866.txt- [RFC2865] are both widely deployed AAA protocols. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- Application Endpoint (AppE) ../data/rfc/rfc5866.txt- An Application Endpoint is an entity in an end-user device that -- ../data/rfc/rfc5866.txt- regardless of whether or not the AE communicates with an AppS, ../data/rfc/rfc5866.txt- routers are insulated from the details of particular applications and ../data/rfc/rfc5866.txt- need not know that Application Servers are involved. Also, the AAA ../data/rfc/rfc5866.txt- cloud may also encompass business relationships such as those between ../data/rfc/rfc5866.txt- network operators and third-party application providers. This ../data/rfc/rfc5866.txt: enables flexible intra- or inter-domain authorization, accounting, ../data/rfc/rfc5866.txt- and settlement. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- -- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- +-------------------------------------------------------+ ../data/rfc/rfc5866.txt- | DIAMETER Client | ../data/rfc/rfc5866.txt- | Functionality | ../data/rfc/rfc5866.txt- | +---------------++-----------------++---------------+ | ../data/rfc/rfc5866.txt: | | User || QoS Application || Accounting | | ../data/rfc/rfc5866.txt- | | Authentication|| Client || Client (e.g., | | ../data/rfc/rfc5866.txt- | | Client || (Authorization ||for QoS Traffic| | ../data/rfc/rfc5866.txt- | +---------------+| of QoS Requests)|+---------------+ | ../data/rfc/rfc5866.txt- | +-----------------+ | ../data/rfc/rfc5866.txt- +-------------------------------------------------------+ -- ../data/rfc/rfc5866.txt- authorized QoS parameters are set in the packet classifier and the ../data/rfc/rfc5866.txt- packet scheduler. Note that the parameters passed to the Traffic ../data/rfc/rfc5866.txt- Control function may be different from the ones that requested QoS ../data/rfc/rfc5866.txt- (depending on the authorization decision). Once the requested ../data/rfc/rfc5866.txt- resource is granted, the Resource Management function provides ../data/rfc/rfc5866.txt: accounting information to the AE via the Diameter client. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt-3.2. Implications of Endpoint QoS Capabilities ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt-3.2.1. Endpoint Categories ../data/rfc/rfc5866.txt- -- ../data/rfc/rfc5866.txt- Bearer Gating ../data/rfc/rfc5866.txt- The Diameter QoS application MUST allow the AE to gate (i.e., ../data/rfc/rfc5866.txt- enable/disable) authorized application flows based on, e.g., ../data/rfc/rfc5866.txt- application state transitions. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt: Accounting Records ../data/rfc/rfc5866.txt: The Diameter QoS application MAY define QoS accounting records ../data/rfc/rfc5866.txt- containing duration, volume (byte count) usage information, and a ../data/rfc/rfc5866.txt- description of the QoS attributes (e.g., bandwidth, delay, loss ../data/rfc/rfc5866.txt- rate) that were supported for the flow. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt: Sending Accounting Records ../data/rfc/rfc5866.txt: The NE SHOULD be able to send accounting records for a particular ../data/rfc/rfc5866.txt: QoS reservation state to an accounting entity. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt-Sun, et al. Standards Track [Page 15] -- ../data/rfc/rfc5866.txt- Failure Notification ../data/rfc/rfc5866.txt- The Diameter QoS application MUST allow the NE to report failures, ../data/rfc/rfc5866.txt- such as loss of connectivity due to movement of a mobile node or ../data/rfc/rfc5866.txt- other reasons for packet loss, to the Authorizing Entity. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt: Accounting Correlation ../data/rfc/rfc5866.txt- The Diameter QoS application MAY support the exchange of ../data/rfc/rfc5866.txt: sufficient information to allow for correlation between accounting ../data/rfc/rfc5866.txt: records generated by the NEs and accounting records generated by ../data/rfc/rfc5866.txt- an AppS. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- Interaction with Other AAA Applications ../data/rfc/rfc5866.txt- Interaction with other AAA applications, such as the Diameter ../data/rfc/rfc5866.txt- Network Access Server Application [RFC4005], may be required for ../data/rfc/rfc5866.txt: exchange of authorization, authentication, and accounting ../data/rfc/rfc5866.txt- information. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- In deployment scenarios where authentication of the QoS reservation ../data/rfc/rfc5866.txt- requesting entity (e.g., the user) is done by means outside the ../data/rfc/rfc5866.txt- Diameter QoS application protocol interaction, the AE is contacted -- ../data/rfc/rfc5866.txt- session that is used for the network access [RFC4005]. It is used ../data/rfc/rfc5866.txt- to tie the QoS authorization request to a prior authentication of ../data/rfc/rfc5866.txt- the end-host done by a co-located application for network access ../data/rfc/rfc5866.txt- authentication ([RFC4005]) at the QoS NE. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt:8. Accounting ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt: An NE MAY start an accounting session by sending an Accounting- ../data/rfc/rfc5866.txt- Request (ACR) message after successful QoS reservation and activation ../data/rfc/rfc5866.txt- of the data flow (see Figures 6 and 7). After every successful re- ../data/rfc/rfc5866.txt- authorization procedure (see Figures 8 and 9), the NE MAY initiate an ../data/rfc/rfc5866.txt: interim accounting message exchange. After successful session ../data/rfc/rfc5866.txt- termination (see Figures 10 and 11), the NE may initiate a final ../data/rfc/rfc5866.txt: exchange of accounting messages for the termination of the accounting ../data/rfc/rfc5866.txt- session and report final records for the use of the QoS resources ../data/rfc/rfc5866.txt- reserved. It should be noted that the two sessions (authorization ../data/rfc/rfc5866.txt: and accounting) have independent management by the Diameter base ../data/rfc/rfc5866.txt: protocol, which allows for finalizing the accounting session after ../data/rfc/rfc5866.txt- the end of the authorization session. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt: The detailed QoS accounting procedures are out of scope in this ../data/rfc/rfc5866.txt- document. ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- ../data/rfc/rfc5866.txt- -- ../data/rfc/rfc5887.txt- renumbering capability to well-scheduled renumbering events when the ../data/rfc/rfc5887.txt- mobile node is connected to its home agent and managed by the home ../data/rfc/rfc5887.txt- network administration. Unexpected home network renumbering events ../data/rfc/rfc5887.txt- when the mobile node is away from its home network and not connected ../data/rfc/rfc5887.txt- to the home agent are supported only if a relevant Authentication, ../data/rfc/rfc5887.txt: Authorisation, and Accounting (AAA) system is able to allocate ../data/rfc/rfc5887.txt- dynamically a home address and home agent for the mobile node. ../data/rfc/rfc5887.txt- ../data/rfc/rfc5887.txt-5.3.3. Multicast Issues ../data/rfc/rfc5887.txt- ../data/rfc/rfc5887.txt- As discussed in [THINK], IPv6 multicast can be used to help rather -- ../data/rfc/rfc5865.txt- ../data/rfc/rfc5865.txt-2.3. Recommendations on Implementation of an Admitted Telephony ../data/rfc/rfc5865.txt- Service Class ../data/rfc/rfc5865.txt- ../data/rfc/rfc5865.txt- When coupled with adequate Authentication, Authorization, and ../data/rfc/rfc5865.txt: Accounting (AAA) and capacity admission procedures as described in ../data/rfc/rfc5865.txt- Section 2.2, either of the two PHB implementations described in ../data/rfc/rfc5865.txt- Section 2.1 is sufficient to provide the services required for an ../data/rfc/rfc5865.txt- Admitted Telephony service class. If preemption is required, Section ../data/rfc/rfc5865.txt- 2.3.5.2 of [RFC4542] provides the tools for carrying out the ../data/rfc/rfc5865.txt- preemption. If preemption is not in view, or if used in addition to -- ../data/rfc/rfc2911.txt- automatically supplies the document name on behalf of the end ../data/rfc/rfc2911.txt- user by using a file name or an application generated name. If ../data/rfc/rfc2911.txt- this attribute is supplied, its value can be used in a manner ../data/rfc/rfc2911.txt- defined by each implementation. Examples include: printed ../data/rfc/rfc2911.txt- along with the Job (job start sheet, page adornments, etc.), ../data/rfc/rfc2911.txt: used by accounting or resource tracking management tools, or ../data/rfc/rfc2911.txt- even stored along with the document as a document level ../data/rfc/rfc2911.txt- attribute. IPP/1.1 does not support the concept of document ../data/rfc/rfc2911.txt- level attributes. ../data/rfc/rfc2911.txt- ../data/rfc/rfc2911.txt- "compression" (type3 keyword): -- ../data/rfc/rfc7256.txt- The formal specification of the behaviors associated with each of ../data/rfc/rfc7256.txt- these capabilities, singly and in combination, is given in Section 6. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- In addition to the multicast service processing behavior just ../data/rfc/rfc7256.txt- sketched, the definition of each capability includes support for the ../data/rfc/rfc7256.txt: multicast accounting and reporting services described in ../data/rfc/rfc7256.txt- Section 3.4.3 of [RFC5851]. Because of this common content and ../data/rfc/rfc7256.txt- because of other protocol overlaps between the different ../data/rfc/rfc7256.txt- capabilities, the protocol descriptions for the multicast extensions ../data/rfc/rfc7256.txt- specified in this document are merged into a single non-redundant ../data/rfc/rfc7256.txt- narrative. Tables in Section 6 then indicate the specific sub- -- ../data/rfc/rfc7256.txt- For the Multicast Replication Control message, these contents consist ../data/rfc/rfc7256.txt- of: ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o a Command Code field; ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: o an Accounting field; and ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o an instance of the Multicast-Flow TLV. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- Figure 5 illustrates the complete Command TLV with the contents ../data/rfc/rfc7256.txt- specific to the Multicast Replication Control message. -- ../data/rfc/rfc7256.txt- 1 2 3 ../data/rfc/rfc7256.txt- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ../data/rfc/rfc7256.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc7256.txt- | TLV Type = Command 0x0011 | Command TLV Length | ../data/rfc/rfc7256.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc7256.txt: |Command Code | Accounting | Reserved | ../data/rfc/rfc7256.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc7256.txt- | Multicast-Flow TLV | ../data/rfc/rfc7256.txt- | ... | ../data/rfc/rfc7256.txt- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ../data/rfc/rfc7256.txt- | Other embedded TLV Type | Other embedded TLV Length | -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- 6 "Admission Control and Conditional Access Reject" ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- Directives 4 through 6 are used as described in Section 4.4.2. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: o Accounting: Meaningful only when the Command Code is "Add" (1). ../data/rfc/rfc7256.txt: In that case, 0 indicates flow accounting is disabled, and 1 ../data/rfc/rfc7256.txt: indicates that octet accounting for the flow is requested. The ../data/rfc/rfc7256.txt: sender MUST set the Accounting field to 0, and the receiver MUST ../data/rfc/rfc7256.txt: ignore the Accounting field for other Command Code values. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o Reserved: Reserved for future use. MUST be set to zeroes by the ../data/rfc/rfc7256.txt- sender and ignored by the receiver. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o Multicast-Flow TLV: An instance of the Multicast-Flow TLV -- ../data/rfc/rfc7256.txt- controlled or affected by attributes received in the Multicast ../data/rfc/rfc7256.txt- Replication Control message SHALL be as set by the last command or ../data/rfc/rfc7256.txt- message referring to that target and flow and containing the ../data/rfc/rfc7256.txt- controlling attribute. As an example, successive Multicast ../data/rfc/rfc7256.txt- Replication Control messages containing add commands for a given port ../data/rfc/rfc7256.txt: and flow but differing only in the Accounting field update the state ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt-Le Faucheur, et al. Standards Track [Page 21] ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt-RFC 7256 ANCP Multicast Extensions July 2014 ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: of the accounting feature to what is set in the final command ../data/rfc/rfc7256.txt- received, but all other features are unaffected by the second ../data/rfc/rfc7256.txt- message. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- If more than one Command TLV is present in a Multicast Replication ../data/rfc/rfc7256.txt- Control message, the AN MUST act on the commands in the order in -- ../data/rfc/rfc7256.txt- unique value, as described in Section 3.6.1.6 of [RFC6320]. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- The AN MUST encode the Command TLV as specified in Section 4.3 with ../data/rfc/rfc7256.txt- the following additional rules: ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: o The Accounting field MUST be set to 0. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o The Command Code field MUST be set to "Add" (1) when the message ../data/rfc/rfc7256.txt- conveys a join request, to "Delete" (2) when the message conveys a ../data/rfc/rfc7256.txt- leave, and to "Delete All" (3) when the message conveys a leave of ../data/rfc/rfc7256.txt- all channels (on the target). -- ../data/rfc/rfc7256.txt- application of policies applicable to specific devices within the ../data/rfc/rfc7256.txt- customer's network. However, transmission of either of these fields ../data/rfc/rfc7256.txt- beyond the AN introduces potential privacy issues. Instead of ../data/rfc/rfc7256.txt- transmitting either of these identifiers, it is RECOMMENDED that the ../data/rfc/rfc7256.txt- AN map the required identifier to a local value known to the AN and ../data/rfc/rfc7256.txt: Authentication, Authorization, and Accounting (AAA) but not to the ../data/rfc/rfc7256.txt- NAS, as discussed in Section 8. The local identifier is transmitted ../data/rfc/rfc7256.txt- using the Request-Source-Device-Id TLV. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt-4.4.2. Receiver Behavior ../data/rfc/rfc7256.txt- -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt-RFC 7256 ANCP Multicast Extensions July 2014 ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * MUST contain the directive as accepted by the NAS. The NAS MAY ../data/rfc/rfc7256.txt: modify the Accounting field if flow accounting is required. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o If the directive in the Multicast Admission Control message is ../data/rfc/rfc7256.txt- "Add" (1) and is processed correctly but not accepted by the NAS ../data/rfc/rfc7256.txt- (i.e., it does not pass the conditional access and admission ../data/rfc/rfc7256.txt- control check), the NAS MAY generate a Multicast Replication -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o a Command TLV containing: ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * Command Code = "Add" (1); ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: * Accounting = "No" (0); ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * a Multicast-Flow embedded TLV indicating the multicast flow for ../data/rfc/rfc7256.txt- which the AN received the IGMP join: flow type "SSM" (2), ../data/rfc/rfc7256.txt- address family "IPv4" (1), Group address = 233.252.0.67, Source ../data/rfc/rfc7256.txt- Address = 192.0.2.21; and -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o a Command TLV containing: ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * Command Code = "Add" (1); ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: * Accounting = "Yes" (1), since in our example the operator wants ../data/rfc/rfc7256.txt: accounting on this flow; and ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * a Multicast-Flow embedded TLV indicating the multicast flow ../data/rfc/rfc7256.txt- that the NAS is admitting for this access line: flow type "SSM" ../data/rfc/rfc7256.txt- (2), address family "IPv4" (1), Group address = 233.252.0.67, ../data/rfc/rfc7256.txt- Source Address = 192.0.2.21. -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- o a Command TLV containing: ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * a Command Code = "Delete" (2); ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt: * Accounting = "No" (0); ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- * a Multicast-Flow embedded TLV indicating the multicast flow for ../data/rfc/rfc7256.txt- which the AN received the IGMP leave: flow type "SSM" (2), ../data/rfc/rfc7256.txt- address family "IPv4" (1), Group address = 233.252.0.67, Source ../data/rfc/rfc7256.txt- Address = 192.0.2.21; and -- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- Figure 35: Enabling the Subscriber to Join an On-Line Game ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- Message M2 terminating the flow when the subscriber leaves the game ../data/rfc/rfc7256.txt- looks the same as the message in Figure 35 with two exceptions: the ../data/rfc/rfc7256.txt: Command Code becomes "Delete" (2), and Accounting is set to "No" (0) ../data/rfc/rfc7256.txt: to turn off flow accounting. Of course, the Transaction Identifier ../data/rfc/rfc7256.txt- values will differ between the two messages. ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- ../data/rfc/rfc7256.txt- -- ../data/rfc/rfc6312.txt- or in the Visited Network. ../data/rfc/rfc6312.txt- ../data/rfc/rfc6312.txt- o The Mobile Network Gateway (MNG): The MNG is the MN's default ../data/rfc/rfc6312.txt- router, which provides IP address management. The MNG performs ../data/rfc/rfc6312.txt- functions such as offering Quality of Service (QoS), applying ../data/rfc/rfc6312.txt: subscriber-specific policy, and enabling billing and accounting; ../data/rfc/rfc6312.txt- these functions are sometimes collectively referred to as ../data/rfc/rfc6312.txt- "subscriber-management" operations. The mobile network ../data/rfc/rfc6312.txt- architecture, as shown in Figure 1, defines the necessary protocol ../data/rfc/rfc6312.txt- interfaces to enable subscriber-management operations. The MNG is ../data/rfc/rfc6312.txt- typically located in the Home Network. ../data/rfc/rfc6312.txt- ../data/rfc/rfc6312.txt- o Border Router (BR): As the name implies, a BR borders the Internet ../data/rfc/rfc6312.txt- for the mobile network. The BR does not perform subscriber ../data/rfc/rfc6312.txt- management for the mobile network. ../data/rfc/rfc6312.txt- ../data/rfc/rfc6312.txt: o Authentication, Authorization, and Accounting (AAA): The general ../data/rfc/rfc6312.txt- functionality of AAA is used for subscriber authentication and ../data/rfc/rfc6312.txt- authorization for services as well as for generating billing and ../data/rfc/rfc6312.txt: accounting information. ../data/rfc/rfc6312.txt- ../data/rfc/rfc6312.txt- In 3GPP network environments, the subscriber authentication and ../data/rfc/rfc6312.txt- the subsequent authorization for connectivity and services is ../data/rfc/rfc6312.txt- provided using the "Home Location Register" (HLR) / "Home ../data/rfc/rfc6312.txt- Subscriber Server" (HSS) functionality. -- ../data/rfc/rfc6312.txt- functionality becomes important. ../data/rfc/rfc6312.txt- ../data/rfc/rfc6312.txt- In addition to the developments cited above, NAT placement is ../data/rfc/rfc6312.txt- important for other reasons as well. Access networks generally need ../data/rfc/rfc6312.txt- to produce network and service usage records for billing and ../data/rfc/rfc6312.txt: accounting. This is true also for mobile networks where "subscriber ../data/rfc/rfc6312.txt: management" features (i.e., QoS, Policy, and Billing and Accounting) ../data/rfc/rfc6312.txt- can be fairly detailed. Since a NAT introduces a binding between two ../data/rfc/rfc6312.txt- addresses, the bindings themselves become necessary information for ../data/rfc/rfc6312.txt- subscriber management. For instance, the offered QoS on private IPv4 ../data/rfc/rfc6312.txt- address and the (shared) public IPv4 address may need to be ../data/rfc/rfc6312.txt: correlated for accounting purposes. As another example, the ../data/rfc/rfc6312.txt- Application Servers within the provider network may need to treat ../data/rfc/rfc6312.txt- traffic based on policy provided by the PCRF. If the IP address seen ../data/rfc/rfc6312.txt- by these Application Servers is not unique, the PCRF needs to be able ../data/rfc/rfc6312.txt- to inspect the NAT binding to disambiguate among the individual MNs. ../data/rfc/rfc6312.txt- The subscriber session management information and the service usage -- ../data/rfc/rfc7068.txt- [RFC6733] indicates that the sending client should attempt to send ../data/rfc/rfc7068.txt- the request to a different peer. It makes no suggestion that the ../data/rfc/rfc7068.txt- receipt of a DIAMETER_TOO_BUSY response should affect future Diameter ../data/rfc/rfc7068.txt- messages in any way. ../data/rfc/rfc7068.txt- ../data/rfc/rfc7068.txt: The Authentication, Authorization, and Accounting (AAA) Transport ../data/rfc/rfc7068.txt- Profile [RFC3539] recommends that a AAA node that receives a "Busy" ../data/rfc/rfc7068.txt- response failover all remaining requests to a different agent or ../data/rfc/rfc7068.txt- server. But while the Diameter base specification explicitly depends ../data/rfc/rfc7068.txt- on [RFC3539] to define transport behavior, it does not refer to ../data/rfc/rfc7068.txt- [RFC3539] in the description of behavior on receipt of a -- ../data/rfc/rfc7068.txt- ../data/rfc/rfc7068.txt- [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, ../data/rfc/rfc7068.txt- RFC 2914, September 2000. ../data/rfc/rfc7068.txt- ../data/rfc/rfc7068.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc7068.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc7068.txt- ../data/rfc/rfc7068.txt-9.2. Informative References ../data/rfc/rfc7068.txt- ../data/rfc/rfc7068.txt- [RFC5390] Rosenberg, J., "Requirements for Management of Overload ../data/rfc/rfc7068.txt- in the Session Initiation Protocol", RFC 5390, -- ../data/rfc/rfc5836.txt- 0.1 to 0.00001 with a transfer delay of less than 300 ms. Any help ../data/rfc/rfc5836.txt- that an optimized handoff mechanism can provide toward meeting these ../data/rfc/rfc5836.txt- objectives is useful. The ultimate objective is to achieve seamless ../data/rfc/rfc5836.txt- handover with low latency, even when handover is between different ../data/rfc/rfc5836.txt- link technologies or between different Authentication, Authorization, ../data/rfc/rfc5836.txt: and Accounting (AAA) realms. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt-Ohba, et al. Informational [Page 3] -- ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt-2. Terminology ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- AAA ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt: Authentication, Authorization, and Accounting (see below). RADIUS ../data/rfc/rfc5836.txt- [RFC2865] and Diameter [RFC3588] are examples of AAA protocols ../data/rfc/rfc5836.txt- defined in the IETF. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- AAA realm ../data/rfc/rfc5836.txt- The set of access networks within the scope of a specific AAA ../data/rfc/rfc5836.txt- server. Thus, if a mobile device moves from one attachment point ../data/rfc/rfc5836.txt- to another within the same AAA realm, it continues to be served by ../data/rfc/rfc5836.txt- the same AAA server. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt: Accounting ../data/rfc/rfc5836.txt- The act of collecting information on resource usage for the ../data/rfc/rfc5836.txt- purpose of trend analysis, auditing, billing, or cost allocation ../data/rfc/rfc5836.txt- [RFC2989]. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- Attachment Point -- ../data/rfc/rfc5836.txt- [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. ../data/rfc/rfc5836.txt- Levkowetz, "Extensible Authentication Protocol (EAP)", ../data/rfc/rfc5836.txt- RFC 3748, June 2004. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5836.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc5836.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5836.txt- ../data/rfc/rfc5836.txt- [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible ../data/rfc/rfc5836.txt- Authentication Protocol (EAP) Key Management Framework", ../data/rfc/rfc5836.txt- RFC 5247, August 2008. -- ../data/rfc/rfc1102.txt- The Policy Terms, as described so far, do not permit the expression ../data/rfc/rfc1102.txt- of a realistic range of policies. What is needed is the ability to ../data/rfc/rfc1102.txt- attach to a Policy Term a number of conditions, which describe ../data/rfc/rfc1102.txt- circumstances under which the term is valid. These might include ../data/rfc/rfc1102.txt- what type of service (TOS) is available, what times of day the term ../data/rfc/rfc1102.txt: is valid, what accounting options are valid, and so on. A time-of- ../data/rfc/rfc1102.txt- day condition, for example, would permit networks, like time-sharing ../data/rfc/rfc1102.txt- systems, to offer their off-peak capacity to a wider community. ../data/rfc/rfc1102.txt- ../data/rfc/rfc1102.txt- In general, these conditions could be quite arbitrary. The important ../data/rfc/rfc1102.txt- constraint on these conditions is that any condition imposed by the -- ../data/rfc/rfc1102.txt- ../data/rfc/rfc1102.txt- Almost all of the existing Internet has been paid for as a capital ../data/rfc/rfc1102.txt- purchase and provided to the users as a free good. There are limited ../data/rfc/rfc1102.txt- examples of cost recovery, but these are based on an annual ../data/rfc/rfc1102.txt- subscription fee rather than a charge related to the utilization. ../data/rfc/rfc1102.txt: There is a growing body of opinion which says that accounting for ../data/rfc/rfc1102.txt- usage, if not billing for it, is an important component of effective ../data/rfc/rfc1102.txt: resource management. For this reason, tools for accounting and ../data/rfc/rfc1102.txt- billing must be a central part of any policy mechanism. However, ../data/rfc/rfc1102.txt- precisely because the administrative regions are autonomous, we ../data/rfc/rfc1102.txt- cannot impose a uniform form of billing policy on all of the regions. ../data/rfc/rfc1102.txt- Some of them may continue to provide service freely, or on the basis ../data/rfc/rfc1102.txt- of an annual fee. Others may charge on the basis of resources -- ../data/rfc/rfc1102.txt- flow. This solved the particular problem of tying together the ../data/rfc/rfc1102.txt- routing decision which had been made in each direction, so that they ../data/rfc/rfc1102.txt- could be used in the other. There are, in fact, a number of reasons ../data/rfc/rfc1102.txt- why the two halves of the flow should be tied together. ../data/rfc/rfc1102.txt- ../data/rfc/rfc1102.txt: - There is considerable overhead in accounting and collecting for the ../data/rfc/rfc1102.txt- usage. It is clearly desirable to have both halves of the flow ../data/rfc/rfc1102.txt- metered jointly. ../data/rfc/rfc1102.txt- ../data/rfc/rfc1102.txt- - If the route is not bi-directional, then a failure in the node ../data/rfc/rfc1102.txt- produces a uni-directional link. Uni-directional links are known -- ../data/rfc/rfc1102.txt- ../data/rfc/rfc1102.txt- An additional advantage of maintaining state in the gateway is that ../data/rfc/rfc1102.txt- it will greatly reduce the overhead of dealing with incoming packets. ../data/rfc/rfc1102.txt- There are a number of decisions which the Policy Gateway must make ../data/rfc/rfc1102.txt- which are a part of forwarding a packet: it must validate the Policy ../data/rfc/rfc1102.txt: Route against its terms, it must create or modify an accounting ../data/rfc/rfc1102.txt- record, and it must select the next Policy Gateway. It is ../data/rfc/rfc1102.txt- unreasonable to imagine performing these tasks from scratch for each ../data/rfc/rfc1102.txt- incoming packet. Once these decisions have been made, the results ../data/rfc/rfc1102.txt- should be cached, so that they can be used for subsequent packets. ../data/rfc/rfc1102.txt- -- ../data/rfc/rfc6192.txt- ../data/rfc/rfc6192.txt- o Permit Simple Network Management Protocol (SNMP) traffic from ../data/rfc/rfc6192.txt- network management stations within subnet 198.51.100.128/25 and ../data/rfc/rfc6192.txt- 2001:db8:100:3::/64 ../data/rfc/rfc6192.txt- ../data/rfc/rfc6192.txt: o Permit RADIUS authentication and accounting replies from RADIUS ../data/rfc/rfc6192.txt- servers 198.51.100.9, 198.51.100.10, 2001:db8:100::9, and ../data/rfc/rfc6192.txt- 2001:db8:100::10 that are listening on UDP ports 1812 and 1813 ../data/rfc/rfc6192.txt- (Internet Assigned Numbers Authority (IANA) RADIUS ports). Note ../data/rfc/rfc6192.txt- that this does not accommodate a server using the original UDP ../data/rfc/rfc6192.txt- ports of 1645 and 1646 Binary file ../data/rfc/rfc684.txt matches -- ../data/rfc/rfc5481.txt- 8.2. Measurement Devices .......................................32 ../data/rfc/rfc5481.txt- 8.3. Units of Measurement ......................................33 ../data/rfc/rfc5481.txt- 8.4. Test Duration .............................................33 ../data/rfc/rfc5481.txt- 8.5. Clock Sync Options ........................................33 ../data/rfc/rfc5481.txt- 8.6. Distinguishing Long Delay from Loss .......................34 ../data/rfc/rfc5481.txt: 8.7. Accounting for Packet Reordering ..........................34 ../data/rfc/rfc5481.txt- 8.8. Results Representation and Reporting ......................35 ../data/rfc/rfc5481.txt- 9. Security Considerations ........................................35 ../data/rfc/rfc5481.txt- 10. Acknowledgments ...............................................35 ../data/rfc/rfc5481.txt- 11. Appendix on Calculating the D(min) in PDV .....................35 ../data/rfc/rfc5481.txt- 12. References ....................................................36 -- ../data/rfc/rfc5481.txt- ../data/rfc/rfc5481.txt- In essence, [IPPM-Reporting] suggests to use a long waiting time to ../data/rfc/rfc5481.txt- serve network characterization and revise results for specific ../data/rfc/rfc5481.txt- application delay thresholds as needed. ../data/rfc/rfc5481.txt- ../data/rfc/rfc5481.txt:8.7. Accounting for Packet Reordering ../data/rfc/rfc5481.txt- ../data/rfc/rfc5481.txt- Packet reordering, defined in [RFC4737], is essentially an extreme ../data/rfc/rfc5481.txt- form of delay variation where the packet stream arrival order differs ../data/rfc/rfc5481.txt- from the sending order. ../data/rfc/rfc5481.txt- -- ../data/rfc/rfc3315.txt- The information contained in the data area of this option is ../data/rfc/rfc3315.txt- contained in one or more opaque fields that represent the user class ../data/rfc/rfc3315.txt- or classes of which the client is a member. A server selects ../data/rfc/rfc3315.txt- configuration information for the client based on the classes ../data/rfc/rfc3315.txt- identified in this option. For example, the User Class option can be ../data/rfc/rfc3315.txt: used to configure all clients of people in the accounting department ../data/rfc/rfc3315.txt- ../data/rfc/rfc3315.txt- ../data/rfc/rfc3315.txt- ../data/rfc/rfc3315.txt- ../data/rfc/rfc3315.txt-Droms, et al. Standards Track [Page 84] -- ../data/rfc/rfc3702.txt-Category: Informational G. Camarillo ../data/rfc/rfc3702.txt- Ericsson ../data/rfc/rfc3702.txt- February 2004 ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: Authentication, Authorization, and Accounting ../data/rfc/rfc3702.txt- Requirements for the Session Initiation Protocol (SIP) ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-Status of this Memo ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- This memo provides information for the Internet community. It does -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-Abstract ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- As Session Initiation Protocol (SIP) services are deployed on the ../data/rfc/rfc3702.txt- Internet, there is a need for authentication, authorization, and ../data/rfc/rfc3702.txt: accounting of SIP sessions. This document sets out the basic ../data/rfc/rfc3702.txt- requirements for this work. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-Table of Contents ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 -- ../data/rfc/rfc3702.txt- 2.3.1. Ability to Authorize SIP Requests. . . . . . . . 7 ../data/rfc/rfc3702.txt- 2.3.2. Information Transfer . . . . . . . . . . . . . . 7 ../data/rfc/rfc3702.txt- 2.3.3. User De-authorization. . . . . . . . . . . . . . 7 ../data/rfc/rfc3702.txt- 2.3.4. User Re-authorization. . . . . . . . . . . . . . 7 ../data/rfc/rfc3702.txt- 2.3.5. Support for Credit Control . . . . . . . . . . . 7 ../data/rfc/rfc3702.txt: 2.4. Accounting Requirements. . . . . . . . . . . . . . . . . 8 ../data/rfc/rfc3702.txt: 2.4.1. Separation of Accounting Information . . . . . . 8 ../data/rfc/rfc3702.txt: 2.4.2. Accounting Information Related to Session ../data/rfc/rfc3702.txt- Progression. . . . . . . . . . . . . . . . . . . 8 ../data/rfc/rfc3702.txt: 2.4.3. Accounting Information Not Related to Session ../data/rfc/rfc3702.txt- Progression. . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3702.txt- 2.4.4. Support for One-Time and Session-based ../data/rfc/rfc3702.txt: Accounting Records . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3702.txt: 2.4.5. Support for Accounting on Different Media ../data/rfc/rfc3702.txt- Components . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3702.txt: 2.4.6. Configuration of Accounting Generation ../data/rfc/rfc3702.txt- Parameters. . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3702.txt- 2.4.7. Support for Arbitrary Correlations . . . . . . . 9 ../data/rfc/rfc3702.txt- 3. Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . 10 ../data/rfc/rfc3702.txt- 3.1. WLAN Roaming Using Third Party Service Providers . . . . 11 ../data/rfc/rfc3702.txt- 3.2. Conditional Authorization. . . . . . . . . . . . . . . . 12 -- ../data/rfc/rfc3702.txt- 8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 15 ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-1. Introduction ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The AAA working group is chartered to work on authentication, ../data/rfc/rfc3702.txt: authorization, and accounting solutions for the Internet. This work ../data/rfc/rfc3702.txt- consists of a base protocol, applications, end-to-end security ../data/rfc/rfc3702.txt- application, and a general architecture for providing these services ../data/rfc/rfc3702.txt- [3]. The AAA working group has specified applicability of AAA-based ../data/rfc/rfc3702.txt- solutions for a number of protocols (e.g., AAA requirements for ../data/rfc/rfc3702.txt- Mobile IP [4]). ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- SIP is a signalling protocol for creating, modifying, and terminating ../data/rfc/rfc3702.txt- different types of sessions, such as Internet phone calls, multimedia ../data/rfc/rfc3702.txt- distribution, and multimedia conferences [1]. SIP sessions have ../data/rfc/rfc3702.txt: needs for session authentication, authorization, and accounting ../data/rfc/rfc3702.txt- (AAA). ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- convenient for SIP entities to communicate with an AAA sever than to ../data/rfc/rfc3702.txt- attempt to store user credentials and profiles locally. SIP entities ../data/rfc/rfc3702.txt- use the SIP-AAA interface to access the AAA server. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- This document provides requirements for the interface between SIP ../data/rfc/rfc3702.txt: entities and AAA servers. While accounting requirements are ../data/rfc/rfc3702.txt- discussed, this document does not cover SIP charging or billing ../data/rfc/rfc3702.txt- mechanisms. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- One possible use of this document would be to create an AAA ../data/rfc/rfc3702.txt- application for SIP. Any protocol meeting the requirements outlined -- ../data/rfc/rfc3702.txt- 5. Section 2.3.4: RADIUS clients would need to support Dynamic ../data/rfc/rfc3702.txt- Authorization [7]. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-1.2. Terminology and Acronyms ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: AAA: Authentication, Authorization, and Accounting ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: Accounting: The collection of resource consumption data for the ../data/rfc/rfc3702.txt- purposes of capacity and trend analysis, cost allocation, ../data/rfc/rfc3702.txt: auditing, and billing. Accounting management requires that ../data/rfc/rfc3702.txt- resource consumption be measured, rated, assigned, and ../data/rfc/rfc3702.txt- communicated between appropriate parties [8]. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: Accounting with credit control: The application checks the end user's ../data/rfc/rfc3702.txt- account for coverage for the requested service event charge ../data/rfc/rfc3702.txt- prior to execution of that service event. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- Home AAA Server: Server where user with which the user maintains an ../data/rfc/rfc3702.txt- account relationship. -- ../data/rfc/rfc3702.txt-2. Requirements ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- In this section, we list the requirements. Protocol solutions are ../data/rfc/rfc3702.txt- not required to satisfy requirements for services that they do not ../data/rfc/rfc3702.txt- support. For example, a solution that provides authentication ../data/rfc/rfc3702.txt: services but not accounting services does not need to fulfill the ../data/rfc/rfc3702.txt: accounting requirements. It is expected that solutions will fulfill ../data/rfc/rfc3702.txt- the general requirements, plus the requirements for the specific ../data/rfc/rfc3702.txt- services they are providing. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- Section 2.1 lists general requirements, Section 2.2 lists ../data/rfc/rfc3702.txt- requirements related to authentication, Section 2.3 lists ../data/rfc/rfc3702.txt- requirements related to authorization, and Section 2.4 lists ../data/rfc/rfc3702.txt: requirements related to accounting. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-2.1. Common Requirements ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- This section outlines general requirements on the SIP-AAA interface. ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-2.1.6. SIP Session Changes ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface MUST allow a SIP entity to inform the AAA ../data/rfc/rfc3702.txt- server about changes in the SIP session that may affect the ../data/rfc/rfc3702.txt: authorization, authentication, or accounting for that SIP session. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-2.1.7. Reliable Transfer of Protocol Messages ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface SHOULD provide a reliable transfer of AAA ../data/rfc/rfc3702.txt- protocol messages between the SIP entity and the AAA server. -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface MUST support credit control. That is, the AAA ../data/rfc/rfc3702.txt- server has to be able to check the end user's account for coverage ../data/rfc/rfc3702.txt- for the requested service event charge before authorizing execution ../data/rfc/rfc3702.txt- of that service event. Note that this requirement is related to ../data/rfc/rfc3702.txt: accounting as well. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-Loughney & Camarillo Informational [Page 7] ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- Credit control is useful to implement prepaid services where all ../data/rfc/rfc3702.txt- chargeable events related to a specific account are withheld from the ../data/rfc/rfc3702.txt- end user when the credit of that account is exhausted or expired. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4. Accounting Requirements ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- This section outlines requirements on the SIP-AAA interface related ../data/rfc/rfc3702.txt: to accounting. Accounting is more than simple charging. Accounting ../data/rfc/rfc3702.txt- may be a simple list of services accessed, servers accessed, duration ../data/rfc/rfc3702.txt- of session, etc. Charging for SIP sessions can be extremely complex ../data/rfc/rfc3702.txt- and requires some additional study. It is not the intent of this ../data/rfc/rfc3702.txt- section to focus on charging. ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- transfer a wide range of data, some SIP nodes may not have access ../data/rfc/rfc3702.txt- to it. In order to design a network, it is important to analyze ../data/rfc/rfc3702.txt- which SIP nodes will be able to generate the desired account ../data/rfc/rfc3702.txt- records. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.1. Separation of Accounting Information ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: AAA accounting messages MUST be able to provide granular information ../data/rfc/rfc3702.txt- based on different parameters. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- For example, it should be possible to separate "session duration" ../data/rfc/rfc3702.txt- information from other information generated via additional services ../data/rfc/rfc3702.txt: (e.g., 3-way calling). Separating accounting information makes it ../data/rfc/rfc3702.txt: possible to provide accounting information to different parties based ../data/rfc/rfc3702.txt- upon different aspects of the session. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.2. Accounting Information Related to Session Progression ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: There MUST be support in the SIP-AAA interface for accounting ../data/rfc/rfc3702.txt: transfers where the information contained in the accounting data has ../data/rfc/rfc3702.txt- a direct bearing on the establishment, progression, and termination ../data/rfc/rfc3702.txt- of a session (e.g., reception of a BYE request). ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt-Loughney & Camarillo Informational [Page 8] ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-RFC 3702 AAA Requirements for SIP February 2004 ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.3. Accounting Information Not Related to Session Progression ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: There MUST be support in the SIP-AAA interface for accounting ../data/rfc/rfc3702.txt: transfers where the information contained in the accounting data does ../data/rfc/rfc3702.txt- NOT have a direct bearing on the establishment, progression, and ../data/rfc/rfc3702.txt- termination of a session (e.g., an instant MESSAGE that is not ../data/rfc/rfc3702.txt- related to any session). ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.4. Support for One-Time and Session-based Accounting Records ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface MUST allow SIP servers to provide relevant ../data/rfc/rfc3702.txt: accounting information for billing and inter-network settlement ../data/rfc/rfc3702.txt: purposes to the AAA servers. Both one-time event accounting records ../data/rfc/rfc3702.txt: and session based (START, INTERIM, STOP records) accounting MUST be ../data/rfc/rfc3702.txt- supported. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.5. Support for Accounting on Different Media Components ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: The SIP-AAA interface MUST support accounting per media component ../data/rfc/rfc3702.txt- (e.g., voice and video). That is, the SIP-AAA interface MUST be able ../data/rfc/rfc3702.txt- to provide the AAA server with the types (e.g., voice and video) of ../data/rfc/rfc3702.txt- the media streams of a given session. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- Note, however, that some SIP entities do not have access to this -- ../data/rfc/rfc3702.txt- (e.g., a gateway towards the PSTN). ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface MUST enable different parties to be charged per ../data/rfc/rfc3702.txt- media component. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt:2.4.6. Configuration of Accounting Generation Parameters ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- The SIP-AAA interface MUST allow AAA servers to communicate ../data/rfc/rfc3702.txt: parameters for accounting generation. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt-2.4.7. Support for Arbitrary Correlations ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt: Some networks need to be able to relate accounting information to ../data/rfc/rfc3702.txt- some aspect of the SIP messages involved. So, the SIP-AAA interface ../data/rfc/rfc3702.txt- MUST allow the AAA server to correlate a particular AAA session with ../data/rfc/rfc3702.txt- any aspect of the SIP messages. For example, an AAA server that ../data/rfc/rfc3702.txt: receives accounting information about a SIP dialog may be interested ../data/rfc/rfc3702.txt- in knowing the Call-ID of the SIP dialog. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- | | | | ../data/rfc/rfc3702.txt- | |<------OK--------| | ../data/rfc/rfc3702.txt- | | | | ../data/rfc/rfc3702.txt- | |---------INVITE------------------>| ../data/rfc/rfc3702.txt- | | | | ../data/rfc/rfc3702.txt: | |-Accounting msg->| | ../data/rfc/rfc3702.txt- | | | | ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- Figure 2: WLAN roaming user ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- User A accesses the Internet using a WLAN access outside his home -- ../data/rfc/rfc3702.txt- (Proxy Authentication Required) response, and user A reissues the ../data/rfc/rfc3702.txt- INVITE including his credentials. SIP proxy C consults user A's home ../data/rfc/rfc3702.txt- AAA server, which confirms that the credentials belong to user A and ../data/rfc/rfc3702.txt- that SIP proxy C can go ahead and provide its service for that call. ../data/rfc/rfc3702.txt- SIP proxy C routes the INVITE forward towards user B and sends an ../data/rfc/rfc3702.txt: accounting message to the AAA server, which will be used later to ../data/rfc/rfc3702.txt- charge user A for the service provided by SIP proxy C. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- [3] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. Arkko, ../data/rfc/rfc3702.txt- "Diameter Base Protocol", RFC 3588, September 2003. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- [4] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP ../data/rfc/rfc3702.txt: Authentication, Authorization, and Accounting Requirements", RFC ../data/rfc/rfc3702.txt- 2977, October 2000. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- [5] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc3702.txt- Authentication Dial in User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc3702.txt- 2000. -- ../data/rfc/rfc3702.txt- [7] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, ../data/rfc/rfc3702.txt- "Dynamic Authorization Extensions to Remote Authentication Dial ../data/rfc/rfc3702.txt- in User Service (RADIUS)", RFC 3576, July 2003. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- [8] Aboba, B., Arkko, J. and D. Harrington, "Introduction to ../data/rfc/rfc3702.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- ../data/rfc/rfc3702.txt- -- ../data/rfc/rfc6245.txt- keys in both directions. The GRE key assignment in the FA and the HA ../data/rfc/rfc6245.txt- is outside the scope of this memo. ../data/rfc/rfc6245.txt- ../data/rfc/rfc6245.txt- The GRE Key Extension SHALL follow the format defined in [RFC5944]. ../data/rfc/rfc6245.txt- This extension SHALL be added after the MN-HA and MN-FA Challenge and ../data/rfc/rfc6245.txt: MN-AAA (Mobile Node - Authentication, Authorization, and Accounting) ../data/rfc/rfc6245.txt- extensions (if any) and before the FA-HA Auth extension (if any). ../data/rfc/rfc6245.txt- ../data/rfc/rfc6245.txt-4.2. Home Agent Requirements for GRE Tunneling Support ../data/rfc/rfc6245.txt- ../data/rfc/rfc6245.txt- The HA MUST follow the procedures specified in [RFC5944] in -- ../data/rfc/rfc1167.txt- support the general operation of the system (for example, network ../data/rfc/rfc1167.txt- management facilities, name servers of various types, email, database ../data/rfc/rfc1167.txt- and other kinds of information servers, multicast routers, ../data/rfc/rfc1167.txt- cryptographic certificate servers) and collaboration support tools ../data/rfc/rfc1167.txt- including video/teleconferencing systems and other "groupware" ../data/rfc/rfc1167.txt: facilities. Accounting and access control mechanisms will be ../data/rfc/rfc1167.txt- required. ../data/rfc/rfc1167.txt- ../data/rfc/rfc1167.txt- 7. The system will support multiple protocols on an end to end basis. ../data/rfc/rfc1167.txt- At the least, full TCP/IP and OSI protocol stacks will be supported. ../data/rfc/rfc1167.txt- Dealing with Connectionless and Connection-Oriented Network Services -- ../data/rfc/rfc1167.txt- network in the U.S. with its local and inter-exchange carrier (IEC) ../data/rfc/rfc1167.txt- structure. It should be noted that in the presence of the local and ../data/rfc/rfc1167.txt- IEC structure, it has proven possible to support private and virtual ../data/rfc/rfc1167.txt- private networking as well. The same needs to be true of the NREN. ../data/rfc/rfc1167.txt- ../data/rfc/rfc1167.txt: A critical element of any commercial service is accounting and ../data/rfc/rfc1167.txt- billing. It must be possible to identify users (billable parties, ../data/rfc/rfc1167.txt- anyway) and to compute usage charges. This is not to say that the ../data/rfc/rfc1167.txt- NREN component networks must necessarily bill on the basis of usage. ../data/rfc/rfc1167.txt- It may prove preferable to have fixed access charges which might be ../data/rfc/rfc1167.txt- modulated by access data rate, as some of the intermediate-level -- ../data/rfc/rfc1167.txt- Even if such an activity is initiated through federal action, it may ../data/rfc/rfc1167.txt- be helpful, in the long run, if it eventually embraces a much wider ../data/rfc/rfc1167.txt- community. ../data/rfc/rfc1167.txt- ../data/rfc/rfc1167.txt- Agreements are needed on the technical foundations for network ../data/rfc/rfc1167.txt: monitoring and management, for internetwork accounting and exchange ../data/rfc/rfc1167.txt- payments, for problem identification, tracking, escalation and ../data/rfc/rfc1167.txt- resolution. A framework is needed for the support of users of the ../data/rfc/rfc1167.txt- aggregate NREN. This suggests cooperative agreements among network ../data/rfc/rfc1167.txt- information centers, user service and support organizations to begin ../data/rfc/rfc1167.txt- with. Eventually, the cost of such operations will have to be -- ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt-4. Terminology ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- AAA ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt: Authentication, Authorization, and Accounting - functions that are ../data/rfc/rfc5281.txt- generally required to control access to a network and support ../data/rfc/rfc5281.txt- billing and auditing. ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- AAA protocol ../data/rfc/rfc5281.txt- -- ../data/rfc/rfc5281.txt- AAA server ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- A server which performs one or more AAA functions: authenticating ../data/rfc/rfc5281.txt- a user prior to granting network service, providing authorization ../data/rfc/rfc5281.txt- (policy) information governing the type of network service the ../data/rfc/rfc5281.txt: user is to be granted, and accumulating accounting information ../data/rfc/rfc5281.txt- about actual usage. ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- AAA/H ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- A AAA server in the user's home domain, where authentication and -- ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- During phase 2, the TLS record layer is used to tunnel information ../data/rfc/rfc5281.txt- between client and TTLS server to perform any of a number of ../data/rfc/rfc5281.txt- functions. These might include user authentication, client integrity ../data/rfc/rfc5281.txt- validation, negotiation of data communication security capabilities, ../data/rfc/rfc5281.txt: key distribution, communication of accounting information, etc. ../data/rfc/rfc5281.txt- Information between client and TTLS server is exchanged via ../data/rfc/rfc5281.txt- attribute-value pairs (AVPs) compatible with RADIUS and Diameter; ../data/rfc/rfc5281.txt- thus, any type of function that can be implemented via such AVPs may ../data/rfc/rfc5281.txt- easily be performed. ../data/rfc/rfc5281.txt- -- ../data/rfc/rfc5281.txt- Session-Id = 0x15 || client.random || server.random ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt-12.2. Peer-Id ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt- The Peer-Id represents the identity to be used for access control and ../data/rfc/rfc5281.txt: accounting purposes. When the client presents a certificate as part ../data/rfc/rfc5281.txt- of the TLS handshake, the Peer-Id is determined based on information ../data/rfc/rfc5281.txt- in the certificate, as specified in Section 5.2 of [RFC5216]. ../data/rfc/rfc5281.txt- Otherwise, the Peer-Id is null. ../data/rfc/rfc5281.txt- ../data/rfc/rfc5281.txt-12.3. Server-Id -- ../data/rfc/rfc2504.txt- comes from an unknown source to a computer storing business records, ../data/rfc/rfc2504.txt- other valuable data and data which is potentially damaging if the ../data/rfc/rfc2504.txt- information was lost or stolen. ../data/rfc/rfc2504.txt- ../data/rfc/rfc2504.txt- If the system has a mixed purpose, say recreation, correspondence ../data/rfc/rfc2504.txt: and some home accounting, perhaps you will hazard some downloading of ../data/rfc/rfc2504.txt- software. You unavoidably take some risk of acquiring stuff ../data/rfc/rfc2504.txt- which is not exactly what it seems to be. ../data/rfc/rfc2504.txt- ../data/rfc/rfc2504.txt- It may be worthwhile installing privacy software on a computer if it ../data/rfc/rfc2504.txt- is shared by multiple users. That way, a friend of a room mate won't -- ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt-2.2. Normal Operations ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt-2.2.1. Connection Establishment and Initial Configuration Request ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt: The Accounting Timer object in the COPS Connection Accept message ../data/rfc/rfc3571.txt- contains the minimum number of seconds between reporting intervals as ../data/rfc/rfc3571.txt- described in [COPS] and [FEEDBACKFWK]. This is used as the basic ../data/rfc/rfc3571.txt- unit of measurement in defining intervals for specific usage policies ../data/rfc/rfc3571.txt- with the frwkFeedbackLinkInterval attribute. ../data/rfc/rfc3571.txt- -- ../data/rfc/rfc3571.txt- operate with the installed policy. When the locally installed policy ../data/rfc/rfc3571.txt- at the PEP expires, the usage policy data also expires. ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt- Upon successful reconnection where the PEP is still caching policy, ../data/rfc/rfc3571.txt- the PDP indicates to the PEP that the PEP may resume sending of the ../data/rfc/rfc3571.txt: COPS accounting type report messages. The PDP does this by issuing ../data/rfc/rfc3571.txt- an unsolicited decision containing the frwkFeedbackResumeIndicator ../data/rfc/rfc3571.txt- set to 'resume'. The PEP should resume reporting at the next ../data/rfc/rfc3571.txt- appropriate feedback interval established upon the acceptance of the ../data/rfc/rfc3571.txt- re-connection. The PDP is aware of the request state Handle(s) and ../data/rfc/rfc3571.txt- -- ../data/rfc/rfc3571.txt- This class links the selection criteria instance with the usage ../data/rfc/rfc3571.txt- class. This table permits the reuse of a selection criteria instance ../data/rfc/rfc3571.txt- for multiple usage policies. ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt- The linkage table also permits the definition of a maximum reporting ../data/rfc/rfc3571.txt: interval to use when issuing the COPS accounting type reports for the ../data/rfc/rfc3571.txt- usage instance. A value of 0 in this attribute indicates that the ../data/rfc/rfc3571.txt- usage policy must be solicited. ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt-3.3.5. Feedback Traffic Statistics Threshold ../data/rfc/rfc3571.txt- -- ../data/rfc/rfc3571.txt- solicitReport(4) ../data/rfc/rfc3571.txt- } ../data/rfc/rfc3571.txt- STATUS current ../data/rfc/rfc3571.txt- DESCRIPTION ../data/rfc/rfc3571.txt- "The value indicates if the PEP is to send cached ../data/rfc/rfc3571.txt: usage policies via COPS accounting type report ../data/rfc/rfc3571.txt- messages. ../data/rfc/rfc3571.txt- The enumeration values are: ../data/rfc/rfc3571.txt- (1) suspendMonitoringAndReports ../data/rfc/rfc3571.txt- (2) suspendReports ../data/rfc/rfc3571.txt- (3) resume -- ../data/rfc/rfc3571.txt- frwkFeedbackLinkInterval OBJECT-TYPE ../data/rfc/rfc3571.txt- SYNTAX Integer32 ../data/rfc/rfc3571.txt- STATUS current ../data/rfc/rfc3571.txt- DESCRIPTION ../data/rfc/rfc3571.txt- "Maximum interval in units of the value of the ../data/rfc/rfc3571.txt: Accounting Timer specified by the PDP in the client ../data/rfc/rfc3571.txt- accept message. A frwkFeedbackLinkInterval of 1 is ../data/rfc/rfc3571.txt: equal to the value of the Accounting Timer. This value ../data/rfc/rfc3571.txt- must be 1 or greater. " ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt- ::= { frwkFeedbackLinkEntry 4} ../data/rfc/rfc3571.txt- ../data/rfc/rfc3571.txt- frwkFeedbackLinkThreshold OBJECT-TYPE -- ../data/rfc/rfc2800.txt-WEBDAV HTTP Extensions for Distributed Authoring -- WEBDAV 2518 ../data/rfc/rfc2800.txt-ATM-MIBMAN Definitions of Managed Objects for ATM Management 2515 ../data/rfc/rfc2800.txt-ATM-TC-OID Definitions of Textual Conventions and OBJECT- 2514 ../data/rfc/rfc2800.txt- IDENTITIES for ATM Management ../data/rfc/rfc2800.txt--------- Managed Objects for Controlling the Collection 2513 ../data/rfc/rfc2800.txt: and Storage of Accounting Information for ../data/rfc/rfc2800.txt- Connection-Oriented Networks ../data/rfc/rfc2800.txt:-------- Accounting Information for ATM Networks 2512 ../data/rfc/rfc2800.txt-X.509-CRMF Internet X.509 Certificate Request Message Format 2511 ../data/rfc/rfc2800.txt-PKICMP Internet X.509 Public Key Infrastructure Certificate 2510 ../data/rfc/rfc2800.txt- Management Protocols ../data/rfc/rfc2800.txt-IPCOM-PPP IP Header Compression over PPP 2509 ../data/rfc/rfc2800.txt--------- Compressing IP/UDP/RTP Headers for Low-Speed Serial 2508 -- ../data/rfc/rfc2297.txt- channel connection is specified by its input port, input VPI, and ../data/rfc/rfc2297.txt- input VCI. Each virtual path connection is specified by its input ../data/rfc/rfc2297.txt- port and input VPI. These are specified in the Input Port, Input VPI, ../data/rfc/rfc2297.txt- and Input VCI fields of each Activity Record. Two forms of activity ../data/rfc/rfc2297.txt- detection are supported. If the switch supports per connection ../data/rfc/rfc2297.txt: traffic accounting, the current value of the traffic counter for each ../data/rfc/rfc2297.txt- specified virtual channel connection or virtual path connection must ../data/rfc/rfc2297.txt- be returned. The units of traffic counted are not specified but will ../data/rfc/rfc2297.txt- typically be either cells or frames. The controller must compare the ../data/rfc/rfc2297.txt- traffic counts returned in the message with previous values for each ../data/rfc/rfc2297.txt- of the specified connections to determine whether each connection has ../data/rfc/rfc2297.txt- been active in the intervening period. If the switch does not ../data/rfc/rfc2297.txt: support per connection traffic accounting, but is capable of ../data/rfc/rfc2297.txt- detecting per connection activity by some other unspecified means, ../data/rfc/rfc2297.txt- the result may be indicated for each connection using the Flags ../data/rfc/rfc2297.txt- field. The Connection Activity message is: ../data/rfc/rfc2297.txt- ../data/rfc/rfc2297.txt- Message Type = 48 -- ../data/rfc/rfc8321.txt- also be used in a Service Function Chaining (SFC) domain. Lastly, ../data/rfc/rfc8321.txt- the application of the marking method to Network Virtualization ../data/rfc/rfc8321.txt- over Layer 3 (NVO3) protocols is considered by [NVO3-ENCAPS]. ../data/rfc/rfc8321.txt- ../data/rfc/rfc8321.txt- o MPLS Performance Measurement: RFC 6374 [RFC6374] uses the Loss ../data/rfc/rfc8321.txt: Measurement (LM) packet as the packet accounting demarcation ../data/rfc/rfc8321.txt- point. Unfortunately, this gives rise to a number of problems ../data/rfc/rfc8321.txt: that may lead to significant packet accounting errors in certain ../data/rfc/rfc8321.txt- situations. [MPLS-FLOW] discusses the desired capabilities for ../data/rfc/rfc8321.txt- ../data/rfc/rfc8321.txt- ../data/rfc/rfc8321.txt- ../data/rfc/rfc8321.txt-Fioccola, et al. Experimental [Page 21] -- ../data/rfc/rfc6827.txt- 2. Routing Areas, OSPF Areas, and Protocol Instances ...............5 ../data/rfc/rfc6827.txt- 3. Terminology and Identification ..................................6 ../data/rfc/rfc6827.txt- 4. Reachability ....................................................7 ../data/rfc/rfc6827.txt- 5. Link Attribute ..................................................8 ../data/rfc/rfc6827.txt- 5.1. Local Adaptation ...........................................8 ../data/rfc/rfc6827.txt: 5.2. Bandwidth Accounting .......................................9 ../data/rfc/rfc6827.txt- 6. Routing Information Scope .......................................9 ../data/rfc/rfc6827.txt- 6.1. Link Advertisement (Local and Remote TE Router ID Sub-TLV) .9 ../data/rfc/rfc6827.txt- 6.2. Reachability Advertisement (Local TE Router ID Sub-TLV) ...11 ../data/rfc/rfc6827.txt- 7. Routing Information Dissemination ..............................11 ../data/rfc/rfc6827.txt- 7.1. Import/Export Rules .......................................12 -- ../data/rfc/rfc6827.txt-Malis, et al. Standards Track [Page 8] ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt-RFC 6827 ASON Routing for OSPFv2 Protocols January 2013 ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt:5.2. Bandwidth Accounting ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- GMPLS routing defines an ISCD that provides, among other things, the ../data/rfc/rfc6827.txt- quantities of the maximum/minimum available bandwidth per priority ../data/rfc/rfc6827.txt- for Label Switched Paths (LSPs). One or more ISCD sub-TLVs can be ../data/rfc/rfc6827.txt- associated with an interface, per [RFC4202] and [RFC4203]. This ../data/rfc/rfc6827.txt- information, combined with the Unreserved Bandwidth Link TLV sub-TLV ../data/rfc/rfc6827.txt: [RFC3630], provides the basis for bandwidth accounting. ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- In the ASON context, additional information may be included when the ../data/rfc/rfc6827.txt- representation and information in the other advertised fields are not ../data/rfc/rfc6827.txt- sufficient for a specific technology, e.g., SDH. The definition of ../data/rfc/rfc6827.txt- technology-specific information elements is beyond the scope of this -- ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- Management plane: performs management functions for the transport ../data/rfc/rfc6827.txt- plane, the control plane, and the system as a whole. It also ../data/rfc/rfc6827.txt- provides coordination between all the planes. The following ../data/rfc/rfc6827.txt- management functional areas are performed in the management plane: ../data/rfc/rfc6827.txt: performance, fault, configuration, accounting, and security ../data/rfc/rfc6827.txt- management. ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- Management domain: (See Recommendation G.805.) A management domain ../data/rfc/rfc6827.txt- defines a collection of managed objects that are grouped to meet ../data/rfc/rfc6827.txt- organizational requirements according to geography, technology, ../data/rfc/rfc6827.txt- policy, or other structure, and for a number of functional areas ../data/rfc/rfc6827.txt: such as Fault, Configuration, Accounting, Performance, and ../data/rfc/rfc6827.txt- Security (FCAPS), for the purpose of providing control in a ../data/rfc/rfc6827.txt- consistent manner. Management domains can be disjoint, contained, ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- ../data/rfc/rfc6827.txt- -- ../data/rfc/rfc3846.txt- ../data/rfc/rfc3846.txt-Abstract ../data/rfc/rfc3846.txt- ../data/rfc/rfc3846.txt- When a mobile node moves between two foreign networks, it has to be ../data/rfc/rfc3846.txt- re-authenticated. If the home network has both multiple ../data/rfc/rfc3846.txt: Authentication Authorization and Accounting (AAA) servers and Home ../data/rfc/rfc3846.txt- Agents (HAs) in use, the Home AAA server may not have sufficient ../data/rfc/rfc3846.txt- information to process the re-authentication correctly (i.e., to ../data/rfc/rfc3846.txt- ensure that the same HA continues to be used). This document defines ../data/rfc/rfc3846.txt- a Mobile IP extension that carries identities for the Home AAA and HA ../data/rfc/rfc3846.txt- servers in the form of Network Access Identifiers (NAIs). The -- ../data/rfc/rfc5580.txt- 2. Terminology .....................................................3 ../data/rfc/rfc5580.txt- 3. Delivery Methods for Location Information .......................3 ../data/rfc/rfc5580.txt- 3.1. Location Delivery Based on Out-of-Band Agreements ..........4 ../data/rfc/rfc5580.txt- 3.2. Location Delivery Based on Initial Request .................5 ../data/rfc/rfc5580.txt- 3.3. Location Delivery Based on Mid-Session Request .............6 ../data/rfc/rfc5580.txt: 3.4. Location Delivery in Accounting Messages ..................10 ../data/rfc/rfc5580.txt- 4. Attributes .....................................................11 ../data/rfc/rfc5580.txt- 4.1. Operator-Name Attribute ...................................12 ../data/rfc/rfc5580.txt- 4.2. Location-Information Attribute ............................14 ../data/rfc/rfc5580.txt- 4.3. Location-Data Attribute ...................................16 ../data/rfc/rfc5580.txt- 4.3.1. Civic Location Profile .............................17 -- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-1. Introduction ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- This document defines attributes within RADIUS and Diameter that can ../data/rfc/rfc5580.txt- be used to convey location-related information within authentication ../data/rfc/rfc5580.txt: and accounting exchanges. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Location information may be useful in a number of scenarios. ../data/rfc/rfc5580.txt- Wireless networks (including wireless LAN) are being deployed in ../data/rfc/rfc5580.txt- public places such as airports, hotels, shopping malls, and coffee ../data/rfc/rfc5580.txt- shops by a diverse set of operators such as cellular network -- ../data/rfc/rfc5580.txt- server responds with either an Access-Accept or an Access-Reject ../data/rfc/rfc5580.txt- message. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The use of dynamic authorization [RFC5176] is necessary when location ../data/rfc/rfc5580.txt- information is needed on-demand and cannot be obtained from ../data/rfc/rfc5580.txt: accounting information in a timely fashion. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Figure 3 shows the above-described approach graphically. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- +---------------+ +---------------+ +------+ ../data/rfc/rfc5580.txt- | Dynamic | | Dynamic | |RADIUS| -- ../data/rfc/rfc5580.txt- : <<Further exchanges later>> : : ../data/rfc/rfc5580.txt- : : : ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Figure 4: Location Delivery Based on CoA ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt:3.4. Location Delivery in Accounting Messages ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: Location information may also be reported in accounting messages. ../data/rfc/rfc5580.txt: Accounting messages are generated when the session starts, when the ../data/rfc/rfc5580.txt- session stops, and periodically during the lifetime of the session. ../data/rfc/rfc5580.txt: Accounting messages may also be generated when the user roams during ../data/rfc/rfc5580.txt- handoff. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: Accounting information may be needed by the billing system to ../data/rfc/rfc5580.txt- calculate the user's bill. For example, there may be different ../data/rfc/rfc5580.txt- tariffs or tax rates applied based on the location. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- If the RADIUS server needs to obtain location information in ../data/rfc/rfc5580.txt: accounting messages, then it needs to include a Requested-Location- ../data/rfc/rfc5580.txt- Info Attribute with the Access-Accept message. The Basic-Location- ../data/rfc/rfc5580.txt- Policy-Rules and the Extended-Location-Policy-Rules Attributes are to ../data/rfc/rfc5580.txt: be echoed in the Accounting-Request if indicated in the Access- ../data/rfc/rfc5580.txt- Accept. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Figure 5 shows the message exchange. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- -- ../data/rfc/rfc5580.txt- | |<---------------------------------| ../data/rfc/rfc5580.txt- | Authentication | | ../data/rfc/rfc5580.txt- | Success | | ../data/rfc/rfc5580.txt- |<----------------------| | ../data/rfc/rfc5580.txt- | | | ../data/rfc/rfc5580.txt: | | Accounting-Request | ../data/rfc/rfc5580.txt- | | + Location-Information | ../data/rfc/rfc5580.txt- | | + Location-Data | ../data/rfc/rfc5580.txt- | | + Basic-Location-Policy-Rules | ../data/rfc/rfc5580.txt- | | + Extended-Location-Policy-Rules| ../data/rfc/rfc5580.txt- | |--------------------------------->| ../data/rfc/rfc5580.txt- | | | ../data/rfc/rfc5580.txt: | | Accounting-Response | ../data/rfc/rfc5580.txt- | |<---------------------------------| ../data/rfc/rfc5580.txt- | | | ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: Figure 5: Location Delivery in Accounting Messages ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-4. Attributes ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- It is important to note that the location-specific parts of the ../data/rfc/rfc5580.txt- attributes defined below are not meant to be processed by the RADIUS -- ../data/rfc/rfc5580.txt- identifier to uniquely identify the owner of an access network. The ../data/rfc/rfc5580.txt- value of the Operator-Name is a non-NULL terminated text whose length ../data/rfc/rfc5580.txt- MUST NOT exceed 253 bytes. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Operator-Name Attribute SHOULD be sent in Access-Request and ../data/rfc/rfc5580.txt: Accounting-Request messages where the Acc-Status-Type is set to ../data/rfc/rfc5580.txt- Start, Interim, or Stop. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- A summary of the Operator-Name Attribute is shown below. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- 0 1 2 3 -- ../data/rfc/rfc5580.txt- ASCII characters containing the ICC itself. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-4.2. Location-Information Attribute ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Location-Information Attribute MAY be sent in the Access-Request ../data/rfc/rfc5580.txt: message, the Accounting-Request message, both of these messages, or ../data/rfc/rfc5580.txt: no message. For the Accounting-Request message, the Acc-Status-Type ../data/rfc/rfc5580.txt- may be set to Start, Interim, or Stop. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Location-Information Attribute provides meta-data about the ../data/rfc/rfc5580.txt- location information, such as sighting time, time-to-live, location- ../data/rfc/rfc5580.txt- determination method, etc. -- ../data/rfc/rfc5580.txt- octets. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-4.3. Location-Data Attribute ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Location-Data Attribute MAY be sent in Access-Request and ../data/rfc/rfc5580.txt: Accounting-Request messages. For the Accounting-Request message, the ../data/rfc/rfc5580.txt- Acc-Status-Type may be set to Start, Interim, or Stop. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The format is shown below. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- 0 1 2 3 -- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-4.4. Basic-Location-Policy-Rules Attribute ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Basic-Location-Policy-Rules Attribute MAY be sent in Access- ../data/rfc/rfc5580.txt- Request, Access-Accept, Access-Challenge, Change-of-Authorization, ../data/rfc/rfc5580.txt: and Accounting-Request messages. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Policy rules control the distribution of location information. In ../data/rfc/rfc5580.txt- order to understand and process the Basic-Location-Policy-Rules ../data/rfc/rfc5580.txt- Attribute, RADIUS clients are obligated to utilize a default value of ../data/rfc/rfc5580.txt- Basic-Location-Policy-Rules, unless explicitly configured otherwise, -- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-4.5. Extended-Location-Policy-Rules Attribute ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Extended-Location-Policy-Rules Attribute MAY be sent in Access- ../data/rfc/rfc5580.txt- Request, Access-Accept, Access-Challenge, Access-Reject, Change-of- ../data/rfc/rfc5580.txt: Authorization, and Accounting-Request messages. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- The Ruleset Reference field of this attribute is of variable length. ../data/rfc/rfc5580.txt- It contains a URI that indicates where the richer ruleset can be ../data/rfc/rfc5580.txt- found. This URI SHOULD use the HTTPS URI scheme. As a deviation ../data/rfc/rfc5580.txt- from [RFC4119], this field only contains a reference and does not -- ../data/rfc/rfc5580.txt- Location-Info Attribute), then the RADIUS server may respond with ../data/rfc/rfc5580.txt- an Access-Reject message with an Error-Cause Attribute (including ../data/rfc/rfc5580.txt- the "Location-Info-Required" value). ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- o If the RADIUS server would like location information in the ../data/rfc/rfc5580.txt: Accounting-Request message but does not require it for computing ../data/rfc/rfc5580.txt- an authorization decision, then the Access-Accept message MUST ../data/rfc/rfc5580.txt- include a Required-Info Attribute. This is typically the case ../data/rfc/rfc5580.txt- when location information is used only for billing. The RADIUS ../data/rfc/rfc5580.txt- client SHOULD attach location information, if available, to the ../data/rfc/rfc5580.txt: Accounting-Request (unless authorization policies dictate ../data/rfc/rfc5580.txt- something different). ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- If the RADIUS server does not send a Requested-Location-Info ../data/rfc/rfc5580.txt- Attribute, then the RADIUS client MUST NOT attach location ../data/rfc/rfc5580.txt- information to messages towards the RADIUS server. The user's -- ../data/rfc/rfc5580.txt-Tschofenig, et al. Standards Track [Page 28] ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-RFC 5580 Carrying LOs in RADIUS and Diameter August 2009 ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: Request Accept Reject Challenge Accounting # Attribute ../data/rfc/rfc5580.txt- Request ../data/rfc/rfc5580.txt- 0-1 0-1 0 0 0+ 126 Operator-Name ../data/rfc/rfc5580.txt- 0+ 0 0 0 0+ 127 Location-Information ../data/rfc/rfc5580.txt- 0+ 0 0 0 0+ 128 Location-Data ../data/rfc/rfc5580.txt- 0-1 0-1 0-1 0-1 0-1 129 Basic-Location- -- ../data/rfc/rfc5580.txt-Tschofenig, et al. Standards Track [Page 30] ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt-RFC 5580 Carrying LOs in RADIUS and Diameter August 2009 ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: What is said about Accounting-Request applies in Diameter to ../data/rfc/rfc5580.txt: Accounting-Request [RFC4005] as well. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- Note that these AVPs may be used by Diameter applications other than ../data/rfc/rfc5580.txt- RFC 4005 [RFC4005] and RFC 4072 [RFC4072]. The above-mentioned ../data/rfc/rfc5580.txt- applications are, however, likely to be relevant in the context of ../data/rfc/rfc5580.txt- this document. -- ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- o RADIUS may return information from the home network to the visited ../data/rfc/rfc5580.txt- one in a manner that makes it possible to either identify the user ../data/rfc/rfc5580.txt- or at least correlate his session with other sessions, such as the ../data/rfc/rfc5580.txt- use of static data in a Class Attribute [RFC2865] or in some ../data/rfc/rfc5580.txt: accounting attribute usage scenarios [RFC4372]. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- o Mobility protocols may reveal some long-term identifier, such as a ../data/rfc/rfc5580.txt- home address. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- o Application-layer protocols may reveal other permanent -- ../data/rfc/rfc5580.txt- Specification, Implementation", RFC 1305, March 1992. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication ../data/rfc/rfc5580.txt- Protocol (CHAP)", RFC 1994, August 1996. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc5580.txt- ../data/rfc/rfc5580.txt- [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote ../data/rfc/rfc5580.txt- Authentication Dial In User Service) Support For ../data/rfc/rfc5580.txt- Extensible Authentication Protocol (EAP)", RFC 3579, ../data/rfc/rfc5580.txt- September 2003. -- ../data/rfc/rfc7962.txt- (https://openwireless.org/) also promotes the sharing of private ../data/rfc/rfc7962.txt- wireless networks. ../data/rfc/rfc7962.txt- ../data/rfc/rfc7962.txt- Some companies [Fon] also promote the use of Wi-Fi routers with dual ../data/rfc/rfc7962.txt- access: a Wi-Fi network for the user and a shared one. Adequate ../data/rfc/rfc7962.txt: Authentication, Authorization, and Accounting (AAA) policies are ../data/rfc/rfc7962.txt- implemented, so people can join the network in different ways: they ../data/rfc/rfc7962.txt- can buy a router, so they can share their connection and in turn, ../data/rfc/rfc7962.txt- they get access to all the routers associated with the community. ../data/rfc/rfc7962.txt- Some users can even get some revenue every time another user connects ../data/rfc/rfc7962.txt- to their Wi-Fi Access Point. Users that are not part of the -- ../data/rfc/rfc2566.txt- the Job name. Typically, the client software automatically ../data/rfc/rfc2566.txt- supplies the document name on behalf of the end user by using a ../data/rfc/rfc2566.txt- file name or an application generated name. If this attribute ../data/rfc/rfc2566.txt- is supplied, its value can be used in a manner defined by each ../data/rfc/rfc2566.txt- implementation. Examples include: printed along with the Job ../data/rfc/rfc2566.txt: (job start sheet, page adornments, etc.), used by accounting or ../data/rfc/rfc2566.txt- resource tracking management tools, or even stored along with ../data/rfc/rfc2566.txt- the document as a document level attribute. IPP/1.0 does not ../data/rfc/rfc2566.txt- support the concept of document level attributes. ../data/rfc/rfc2566.txt- ../data/rfc/rfc2566.txt- -- ../data/rfc/rfc3769.txt- transmission of the delegated prefixes to the customer. ../data/rfc/rfc3769.txt- ../data/rfc/rfc3769.txt- The prefix delegation should provide for reliable authentication of ../data/rfc/rfc3769.txt- the identity of the service provider's edge router. ../data/rfc/rfc3769.txt- ../data/rfc/rfc3769.txt:3.7. Accounting ../data/rfc/rfc3769.txt- ../data/rfc/rfc3769.txt- The prefix delegation mechanism must allow for the ISP to obtain ../data/rfc/rfc3769.txt: accounting information about delegated prefixes from the PE. ../data/rfc/rfc3769.txt- ../data/rfc/rfc3769.txt-3.8. Hardware technology Considerations ../data/rfc/rfc3769.txt- ../data/rfc/rfc3769.txt- The prefix delegation mechanism should work on any hardware link ../data/rfc/rfc3769.txt- technology between the PE and the CPE and should be hardware -- ../data/rfc/rfc6733.txt- Diameter Base Protocol ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Abstract ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Diameter base protocol is intended to provide an Authentication, ../data/rfc/rfc6733.txt: Authorization, and Accounting (AAA) framework for applications such ../data/rfc/rfc6733.txt- as network access or IP mobility in both local and roaming ../data/rfc/rfc6733.txt- situations. This document specifies the message format, transport, ../data/rfc/rfc6733.txt: error reporting, accounting, and security services used by all ../data/rfc/rfc6733.txt- Diameter applications. The Diameter base protocol as defined in this ../data/rfc/rfc6733.txt- document obsoletes RFC 3588 and RFC 5719, and it must be supported by ../data/rfc/rfc6733.txt- all new Diameter implementations. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Status of This Memo -- ../data/rfc/rfc6733.txt- 7.5. Failed-AVP AVP ............................................96 ../data/rfc/rfc6733.txt- 7.6. Experimental-Result AVP ...................................97 ../data/rfc/rfc6733.txt- 7.7. Experimental-Result-Code AVP ..............................97 ../data/rfc/rfc6733.txt- 8. Diameter User Sessions .........................................98 ../data/rfc/rfc6733.txt- 8.1. Authorization Session State Machine .......................99 ../data/rfc/rfc6733.txt: 8.2. Accounting Session State Machine .........................104 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- 8.17. Session-Binding AVP .....................................120 ../data/rfc/rfc6733.txt- 8.18. Session-Server-Failover AVP .............................121 ../data/rfc/rfc6733.txt- 8.19. Multi-Round-Time-Out AVP ................................122 ../data/rfc/rfc6733.txt- 8.20. Class AVP ...............................................122 ../data/rfc/rfc6733.txt- 8.21. Event-Timestamp AVP .....................................122 ../data/rfc/rfc6733.txt: 9. Accounting ....................................................123 ../data/rfc/rfc6733.txt- 9.1. Server Directed Model ....................................123 ../data/rfc/rfc6733.txt- 9.2. Protocol Messages ........................................124 ../data/rfc/rfc6733.txt: 9.3. Accounting Application Extension and Requirements ........124 ../data/rfc/rfc6733.txt- 9.4. Fault Resilience .........................................125 ../data/rfc/rfc6733.txt: 9.5. Accounting Records .......................................125 ../data/rfc/rfc6733.txt: 9.6. Correlation of Accounting Records ........................126 ../data/rfc/rfc6733.txt: 9.7. Accounting Command Codes .................................127 ../data/rfc/rfc6733.txt: 9.7.1. Accounting-Request ................................127 ../data/rfc/rfc6733.txt: 9.7.2. Accounting-Answer .................................128 ../data/rfc/rfc6733.txt: 9.8. Accounting AVPs ..........................................129 ../data/rfc/rfc6733.txt: 9.8.1. Accounting-Record-Type AVP ........................129 ../data/rfc/rfc6733.txt- 9.8.2. Acct-Interim-Interval AVP .........................130 ../data/rfc/rfc6733.txt: 9.8.3. Accounting-Record-Number AVP ......................131 ../data/rfc/rfc6733.txt- 9.8.4. Acct-Session-Id AVP ...............................131 ../data/rfc/rfc6733.txt- 9.8.5. Acct-Multi-Session-Id AVP .........................131 ../data/rfc/rfc6733.txt: 9.8.6. Accounting-Sub-Session-Id AVP .....................131 ../data/rfc/rfc6733.txt: 9.8.7. Accounting-Realtime-Required AVP ..................132 ../data/rfc/rfc6733.txt- 10. AVP Occurrence Tables ........................................132 ../data/rfc/rfc6733.txt- 10.1. Base Protocol Command AVP Table .........................133 ../data/rfc/rfc6733.txt: 10.2. Accounting AVP Table ....................................134 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- 11.2.1. Command Codes ....................................136 ../data/rfc/rfc6733.txt- 11.2.2. Command Flags ....................................137 ../data/rfc/rfc6733.txt- 11.3. AVP Values ..............................................137 ../data/rfc/rfc6733.txt- 11.3.1. Experimental-Result-Code AVP .....................137 ../data/rfc/rfc6733.txt- 11.3.2. Result-Code AVP Values ...........................137 ../data/rfc/rfc6733.txt: 11.3.3. Accounting-Record-Type AVP Values ................137 ../data/rfc/rfc6733.txt- 11.3.4. Termination-Cause AVP Values .....................137 ../data/rfc/rfc6733.txt- 11.3.5. Redirect-Host-Usage AVP Values ...................137 ../data/rfc/rfc6733.txt- 11.3.6. Session-Server-Failover AVP Values ...............137 ../data/rfc/rfc6733.txt- 11.3.7. Session-Binding AVP Values .......................137 ../data/rfc/rfc6733.txt- 11.3.8. Disconnect-Cause AVP Values ......................138 ../data/rfc/rfc6733.txt- 11.3.9. Auth-Request-Type AVP Values .....................138 ../data/rfc/rfc6733.txt- 11.3.10. Auth-Session-State AVP Values ...................138 ../data/rfc/rfc6733.txt- 11.3.11. Re-Auth-Request-Type AVP Values .................138 ../data/rfc/rfc6733.txt: 11.3.12. Accounting-Realtime-Required AVP Values .........138 ../data/rfc/rfc6733.txt- 11.3.13. Inband-Security-Id AVP (code 299) ...............138 ../data/rfc/rfc6733.txt- 11.4. _diameters Service Name and Port Number Registration ....138 ../data/rfc/rfc6733.txt- 11.5. SCTP Payload Protocol Identifiers .......................139 ../data/rfc/rfc6733.txt- 11.6. S-NAPTR Parameters ......................................139 ../data/rfc/rfc6733.txt- 12. Diameter Protocol-Related Configurable Parameters ............139 -- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-1. Introduction ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Authentication, Authorization, and Accounting (AAA) protocols such as ../data/rfc/rfc6733.txt- TACACS [RFC1492] and RADIUS [RFC2865] were initially deployed to ../data/rfc/rfc6733.txt- provide dial-up PPP [RFC1661] and terminal server access. Over time, ../data/rfc/rfc6733.txt- AAA support was needed on many new access technologies, the scale and ../data/rfc/rfc6733.txt- complexity of AAA networks grew, and AAA was also used on new ../data/rfc/rfc6733.txt- applications (such as voice over IP). This led to new demands on AAA -- ../data/rfc/rfc6733.txt- integrity scheme that is required only for use with response ../data/rfc/rfc6733.txt- packets. While [RFC2869] defines an additional authentication and ../data/rfc/rfc6733.txt- integrity mechanism, use is only required during Extensible ../data/rfc/rfc6733.txt- Authentication Protocol (EAP) [RFC3748] sessions. While attribute ../data/rfc/rfc6733.txt- hiding is supported, [RFC2865] does not provide support for per- ../data/rfc/rfc6733.txt: packet confidentiality. In accounting, [RFC2866] assumes that ../data/rfc/rfc6733.txt- replay protection is provided by the backend billing server rather ../data/rfc/rfc6733.txt- than within the protocol itself. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- While [RFC3162] defines the use of IPsec with RADIUS, support for ../data/rfc/rfc6733.txt- IPsec is not required. In order to provide universal support for -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Reliable transport ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- RADIUS runs over UDP, and does not define retransmission behavior; ../data/rfc/rfc6733.txt- as a result, reliability varies between implementations. As ../data/rfc/rfc6733.txt: described in [RFC2975], this is a major issue in accounting, where ../data/rfc/rfc6733.txt- packet loss may translate directly into revenue loss. In order to ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Extensibility, required in [RFC2989], through addition of new ../data/rfc/rfc6733.txt- applications, commands, and AVPs ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Basic services necessary for applications, such as the handling of ../data/rfc/rfc6733.txt: user sessions or accounting ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- All data delivered by the protocol is in the form of AVPs. Some of ../data/rfc/rfc6733.txt- these AVP values are used by the Diameter protocol itself, while ../data/rfc/rfc6733.txt- others deliver data associated with particular applications that ../data/rfc/rfc6733.txt- employ Diameter. AVPs may be arbitrarily added to Diameter messages, -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Exchanging resource usage information, which may be used for ../data/rfc/rfc6733.txt: accounting purposes, capacity planning, etc. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Routing, relaying, proxying, and redirecting of Diameter messages ../data/rfc/rfc6733.txt- through a server hierarchy ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Diameter base protocol satisfies the minimum requirements for a ../data/rfc/rfc6733.txt- AAA protocol, as specified by [RFC2989]. The base protocol may be ../data/rfc/rfc6733.txt: used by itself for accounting purposes only, or it may be used with a ../data/rfc/rfc6733.txt- Diameter application, such as Mobile IPv4 [RFC4004], or network ../data/rfc/rfc6733.txt- access [RFC4005]. It is also possible for the base protocol to be ../data/rfc/rfc6733.txt- extended for use in new applications, via the addition of new ../data/rfc/rfc6733.txt- commands or AVPs. The initial focus of Diameter was network access ../data/rfc/rfc6733.txt: and accounting applications. A truly generic AAA protocol used by ../data/rfc/rfc6733.txt- many applications might provide functionality not provided by ../data/rfc/rfc6733.txt- Diameter. Therefore, it is imperative that the designers of new ../data/rfc/rfc6733.txt- applications understand their requirements before using Diameter. ../data/rfc/rfc6733.txt- See Section 1.3.4 for more information on Diameter applications. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Any node can initiate a request. In that sense, Diameter is a peer- ../data/rfc/rfc6733.txt- to-peer protocol. In this document, a Diameter client is a device at ../data/rfc/rfc6733.txt- the edge of the network that performs access control, such as a ../data/rfc/rfc6733.txt- Network Access Server (NAS) or a Foreign Agent (FA). A Diameter ../data/rfc/rfc6733.txt- client generates Diameter messages to request authentication, ../data/rfc/rfc6733.txt: authorization, and accounting services for the user. A Diameter ../data/rfc/rfc6733.txt- agent is a node that does not provide local user authentication or ../data/rfc/rfc6733.txt- authorization services; agents include proxies, redirects, and relay ../data/rfc/rfc6733.txt- agents. A Diameter server performs authentication and/or ../data/rfc/rfc6733.txt- authorization of the user. A Diameter node may act as an agent for ../data/rfc/rfc6733.txt- certain requests while acting as a server for others. -- ../data/rfc/rfc6733.txt- [RFC3539]. This document obsoletes both RFC 3588 and RFC 5719. A ../data/rfc/rfc6733.txt- summary of the base protocol updates included in this document can be ../data/rfc/rfc6733.txt- found in Section 1.1.3. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- This document defines the base protocol specification for AAA, which ../data/rfc/rfc6733.txt: includes support for accounting. There are also a myriad of ../data/rfc/rfc6733.txt- applications documents describing applications that use this base ../data/rfc/rfc6733.txt: specification for Authentication, Authorization, and Accounting. ../data/rfc/rfc6733.txt- These application documents specify how to use the Diameter protocol ../data/rfc/rfc6733.txt- within the context of their application. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-1.2. Terminology ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- AAA ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Authentication, Authorization, and Accounting. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- Augmented Backus-Naur Form [RFC5234]. A metalanguage with its own ../data/rfc/rfc6733.txt- formal syntax and rules. It is based on the Backus-Naur Form and ../data/rfc/rfc6733.txt- is used to define message exchanges in a bi-directional ../data/rfc/rfc6733.txt- communications protocol. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Accounting ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The act of collecting information on resource usage for the ../data/rfc/rfc6733.txt- purpose of capacity planning, auditing, billing, or cost ../data/rfc/rfc6733.txt- allocation. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Accounting Record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: An accounting record represents a summary of the resource ../data/rfc/rfc6733.txt: consumption of a user over the entire session. Accounting servers ../data/rfc/rfc6733.txt: creating the accounting record may do so by processing interim ../data/rfc/rfc6733.txt: accounting events or accounting events from several devices ../data/rfc/rfc6733.txt- serving the same user. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Authentication ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The act of verifying the identity of an entity (subject). -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Diameter protocol consists of a header followed by one or more ../data/rfc/rfc6733.txt- Attribute-Value-Pairs (AVPs). An AVP includes a header and is ../data/rfc/rfc6733.txt- used to encapsulate protocol-specific data (e.g., routing ../data/rfc/rfc6733.txt- information) as well as authentication, authorization, or ../data/rfc/rfc6733.txt: accounting information. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Command Code Format (CCF) ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A modified form of ABNF used to define Diameter commands (see ../data/rfc/rfc6733.txt- Section 3.2). -- ../data/rfc/rfc6733.txt- connection are called Diameter peers. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter Server ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A Diameter server is a Diameter node that handles authentication, ../data/rfc/rfc6733.txt: authorization, and accounting requests for a particular realm. By ../data/rfc/rfc6733.txt- its very nature, a Diameter server must support Diameter server ../data/rfc/rfc6733.txt- applications in addition to the base protocol. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Downstream ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Home Server ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A Diameter server that serves the Home Realm. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Interim Accounting ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: An interim accounting message provides a snapshot of usage during ../data/rfc/rfc6733.txt- a user's session. Typically, it is implemented in order to ../data/rfc/rfc6733.txt: provide for partial accounting of a user's session in case a ../data/rfc/rfc6733.txt- device reboot or other network problem prevents the delivery of a ../data/rfc/rfc6733.txt- session summary message or session record. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 15] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Real-Time Accounting ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Real-time accounting involves the processing of information on ../data/rfc/rfc6733.txt- resource usage within a defined time window. Typically, time ../data/rfc/rfc6733.txt- constraints are imposed in order to limit financial risk. The ../data/rfc/rfc6733.txt- Diameter Credit-Control Application [RFC4006] is an example of an ../data/rfc/rfc6733.txt: application that defines real-time accounting functionality. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Relay Agent or Relay ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Relays forward requests and responses based on routing-related ../data/rfc/rfc6733.txt- AVPs and routing table entries. Since relays do not make policy -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A sub-session represents a distinct service (e.g., QoS or data ../data/rfc/rfc6733.txt- characteristics) provided to a given session. These services may ../data/rfc/rfc6733.txt- happen concurrently (e.g., simultaneous voice and data transfer ../data/rfc/rfc6733.txt- during the same session) or serially. These changes in sessions ../data/rfc/rfc6733.txt: are tracked with the Accounting-Sub-Session-Id. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Transaction State ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Diameter protocol requires that agents maintain transaction ../data/rfc/rfc6733.txt- state, which is used for failover purposes. Transaction state -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- From the point of view of extensibility, Diameter authentication, ../data/rfc/rfc6733.txt: authorization, and accounting applications are treated in the same ../data/rfc/rfc6733.txt- way. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Note: Protocol designers should try to reuse existing functionality, ../data/rfc/rfc6733.txt- namely AVP values, AVPs, commands, and Diameter applications. Reuse ../data/rfc/rfc6733.txt- simplifies standardization and implementation. To avoid potential -- ../data/rfc/rfc6733.txt- receipt of the Session-Termination-Request, Session-Termination- ../data/rfc/rfc6733.txt- Answer, expiration of authorized service time in the Session-Timeout ../data/rfc/rfc6733.txt- AVP, and according to rules established in a particular Diameter ../data/rfc/rfc6733.txt- application. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The base Diameter protocol may be used by itself for accounting ../data/rfc/rfc6733.txt- applications. For authentication and authorization, it is always ../data/rfc/rfc6733.txt- extended for a particular application. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter clients MUST support the base protocol, which includes ../data/rfc/rfc6733.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc6733.txt- application that is needed to implement the client's service, e.g., ../data/rfc/rfc6733.txt- Network Access Server Requirements (NASREQ) [RFC2881] and/or Mobile ../data/rfc/rfc6733.txt- IPv4. A Diameter client MUST be referred to as "Diameter X Client" ../data/rfc/rfc6733.txt- where X is the application that it supports and not a "Diameter ../data/rfc/rfc6733.txt- Client". ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter servers MUST support the base protocol, which includes ../data/rfc/rfc6733.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc6733.txt- application that is needed to implement the intended service, e.g., ../data/rfc/rfc6733.txt- NASREQ and/or Mobile IPv4. A Diameter server MUST be referred to as ../data/rfc/rfc6733.txt- "Diameter X Server" where X is the application that it supports, and ../data/rfc/rfc6733.txt- not a "Diameter Server". ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter relays and redirect agents are transparent to the Diameter ../data/rfc/rfc6733.txt- applications, but they MUST support the Diameter base protocol, which ../data/rfc/rfc6733.txt: includes accounting, and all Diameter applications. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter proxies MUST support the base protocol, which includes ../data/rfc/rfc6733.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc6733.txt- application that is needed to implement proxied services, e.g., ../data/rfc/rfc6733.txt- NASREQ and/or Mobile IPv4. A Diameter proxy MUST be referred to as ../data/rfc/rfc6733.txt- "Diameter X Proxy" where X is the application which it supports, and ../data/rfc/rfc6733.txt- not a "Diameter Proxy". ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The following Application Id values are defined: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter common message 0 ../data/rfc/rfc6733.txt: Diameter base accounting 3 ../data/rfc/rfc6733.txt- Relay 0xffffffff ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Relay and redirect agents MUST advertise the Relay Application ID, ../data/rfc/rfc6733.txt- while all other Diameter nodes MUST advertise locally supported ../data/rfc/rfc6733.txt- applications. The receiver of a Capabilities Exchange message -- ../data/rfc/rfc6733.txt- transaction as specified by any contractual relationship between the ../data/rfc/rfc6733.txt- server and the previous hop. A DIAMETER_AUTHORIZATION_REJECTED error ../data/rfc/rfc6733.txt- message (see Section 7.1.5) is sent if the route traversed by the ../data/rfc/rfc6733.txt- request is unacceptable. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: A home realm may also wish to check that each accounting request ../data/rfc/rfc6733.txt- message corresponds to a Diameter response authorizing the session. ../data/rfc/rfc6733.txt: Accounting requests without corresponding authorization responses ../data/rfc/rfc6733.txt: SHOULD be subjected to further scrutiny, as should accounting ../data/rfc/rfc6733.txt- requests indicating a difference between the requested and provided ../data/rfc/rfc6733.txt- service. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Forwarding of an authorization response is considered evidence of a ../data/rfc/rfc6733.txt- willingness to take on financial risk relative to the session. A -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 33] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: accounting request corresponding to the authorization response, the ../data/rfc/rfc6733.txt- local realm implicitly indicates its agreement to provide the service ../data/rfc/rfc6733.txt- indicated in the authorization response. If the service cannot be ../data/rfc/rfc6733.txt- provided by the local realm, then a DIAMETER_UNABLE_TO_COMPLY error ../data/rfc/rfc6733.txt: message MUST be sent within the accounting request; a Diameter client ../data/rfc/rfc6733.txt- receiving an authorization response for a service that it cannot ../data/rfc/rfc6733.txt- perform MUST NOT substitute an alternate service and then send ../data/rfc/rfc6733.txt: accounting requests for the alternate service instead. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-3. Diameter Header ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A summary of the Diameter header format is shown below. The fields ../data/rfc/rfc6733.txt- are transmitted in network byte order. -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Application-ID ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Application-ID is four octets and is used to identify for which ../data/rfc/rfc6733.txt- application the message is applicable. The application can be an ../data/rfc/rfc6733.txt: authentication application, an accounting application, or a ../data/rfc/rfc6733.txt- vendor-specific application. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The value of the Application-ID field in the header MUST be the ../data/rfc/rfc6733.txt- same as any relevant Application-Id AVPs contained in the message. ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- Section ../data/rfc/rfc6733.txt- Command Name Abbrev. Code Reference ../data/rfc/rfc6733.txt- -------------------------------------------------------- ../data/rfc/rfc6733.txt- Abort-Session-Request ASR 274 8.5.1 ../data/rfc/rfc6733.txt- Abort-Session-Answer ASA 274 8.5.2 ../data/rfc/rfc6733.txt: Accounting-Request ACR 271 9.7.1 ../data/rfc/rfc6733.txt: Accounting-Answer ACA 271 9.7.2 ../data/rfc/rfc6733.txt- Capabilities-Exchange- CER 257 5.3.1 ../data/rfc/rfc6733.txt- Request ../data/rfc/rfc6733.txt- Capabilities-Exchange- CEA 257 5.3.2 ../data/rfc/rfc6733.txt- Answer ../data/rfc/rfc6733.txt- Device-Watchdog-Request DWR 280 5.5.1 -- ../data/rfc/rfc6733.txt- Additional information, encoded within AVPs, may also be included in ../data/rfc/rfc6733.txt- answer messages. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-4. Diameter AVPs ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Diameter AVPs carry specific authentication, accounting, ../data/rfc/rfc6733.txt- authorization, and routing information as well as configuration ../data/rfc/rfc6733.txt- details for the request and reply. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- AVP Section | |MUST | ../data/rfc/rfc6733.txt- Attribute Name Code Defined Data Type |MUST| NOT | ../data/rfc/rfc6733.txt- -----------------------------------------|----+-----| ../data/rfc/rfc6733.txt- Acct- 85 9.8.2 Unsigned32 | M | V | ../data/rfc/rfc6733.txt- Interim-Interval | | | ../data/rfc/rfc6733.txt: Accounting- 483 9.8.7 Enumerated | M | V | ../data/rfc/rfc6733.txt- Realtime-Required | | | ../data/rfc/rfc6733.txt- Acct- 50 9.8.5 UTF8String | M | V | ../data/rfc/rfc6733.txt- Multi-Session-Id | | | ../data/rfc/rfc6733.txt: Accounting- 485 9.8.3 Unsigned32 | M | V | ../data/rfc/rfc6733.txt- Record-Number | | | ../data/rfc/rfc6733.txt: Accounting- 480 9.8.1 Enumerated | M | V | ../data/rfc/rfc6733.txt- Record-Type | | | ../data/rfc/rfc6733.txt- Acct- 44 9.8.4 OctetString| M | V | ../data/rfc/rfc6733.txt- Session-Id | | | ../data/rfc/rfc6733.txt: Accounting- 287 9.8.6 Unsigned64 | M | V | ../data/rfc/rfc6733.txt- Sub-Session-Id | | | ../data/rfc/rfc6733.txt- Acct- 259 6.9 Unsigned32 | M | V | ../data/rfc/rfc6733.txt- Application-Id | | | ../data/rfc/rfc6733.txt- Auth- 258 6.8 Unsigned32 | M | V | ../data/rfc/rfc6733.txt- Application-Id | | | -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-6.9. Acct-Application-Id AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Acct-Application-Id AVP (AVP Code 259) is of type Unsigned32 and ../data/rfc/rfc6733.txt: is used in order to advertise support of the accounting portion of an ../data/rfc/rfc6733.txt- application (see Section 2.4). If present in a message other than ../data/rfc/rfc6733.txt- CER and CEA, the value of the Acct-Application-Id AVP MUST match the ../data/rfc/rfc6733.txt- Application Id present in the Diameter message header. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-6.10. Inband-Security-Id AVP -- ../data/rfc/rfc6733.txt- an invalid password used by the user. Further attempts MUST only ../data/rfc/rfc6733.txt- be tried after prompting the user for a new password. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- DIAMETER_OUT_OF_SPACE 4002 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: A Diameter node received the accounting request but was unable to ../data/rfc/rfc6733.txt- commit it to stable storage due to a temporary lack of space. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ELECTION_LOST 4003 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The peer has determined that it has lost the election process and -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-8. Diameter User Sessions ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- In general, Diameter can provide two different types of services to ../data/rfc/rfc6733.txt- applications. The first involves authentication and authorization, ../data/rfc/rfc6733.txt: and it can optionally make use of accounting. The second only makes ../data/rfc/rfc6733.txt: use of accounting. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- When a service makes use of the authentication and/or authorization ../data/rfc/rfc6733.txt- portion of an application, and a user requests access to the network, ../data/rfc/rfc6733.txt- the Diameter client issues an auth request to its local server. The ../data/rfc/rfc6733.txt- auth request is defined in a service-specific Diameter application ../data/rfc/rfc6733.txt- (e.g., NASREQ). The request contains a Session-Id AVP, which is used ../data/rfc/rfc6733.txt: in subsequent messages (e.g., subsequent authorization, accounting, ../data/rfc/rfc6733.txt- etc.) relating to the user's session. The Session-Id AVP is a means ../data/rfc/rfc6733.txt- for the client and servers to correlate a Diameter message with a ../data/rfc/rfc6733.txt- user session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- When a Diameter server authorizes a user to implement network -- ../data/rfc/rfc6733.txt- defined in a Diameter application document. However, the base ../data/rfc/rfc6733.txt- protocol does define a set of messages that are used to terminate ../data/rfc/rfc6733.txt- user sessions. These are used to allow servers that maintain state ../data/rfc/rfc6733.txt- information to free resources. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: When a service only makes use of the accounting portion of the ../data/rfc/rfc6733.txt- Diameter protocol, even in combination with an application, the ../data/rfc/rfc6733.txt- Session-Id is still used to identify user sessions. However, the ../data/rfc/rfc6733.txt- session termination messages are not used, since a session is ../data/rfc/rfc6733.txt: signaled as being terminated by issuing an accounting stop message. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter may also be used for services that cannot be easily ../data/rfc/rfc6733.txt: categorized as authentication, authorization, or accounting (e.g., ../data/rfc/rfc6733.txt- certain Third Generation Partnership Project Internet Multimedia ../data/rfc/rfc6733.txt- System (3GPP IMS) interfaces). In such cases, the finite state ../data/rfc/rfc6733.txt- machine defined in subsequent sections may not be applicable. ../data/rfc/rfc6733.txt- Therefore, the application itself MAY need to define its own finite ../data/rfc/rfc6733.txt- state machine. However, such application-specific state machines -- ../data/rfc/rfc6733.txt- Idle Service-specific authorization Send Idle ../data/rfc/rfc6733.txt- request received, and service- ../data/rfc/rfc6733.txt- successfully processed specific ../data/rfc/rfc6733.txt- answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:8.2. Accounting Session State Machine ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The following state machines MUST be supported for applications that ../data/rfc/rfc6733.txt: have an accounting portion or that require only accounting services. ../data/rfc/rfc6733.txt- The first state machine is to be observed by clients. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: See Section 9.7 for Accounting Command Codes and Section 9.8 for ../data/rfc/rfc6733.txt: Accounting AVPs. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The server side in the accounting state machine depends in some cases ../data/rfc/rfc6733.txt- on the particular application. The Diameter base protocol defines a ../data/rfc/rfc6733.txt- default state machine that MUST be followed by all applications that ../data/rfc/rfc6733.txt- have not specified other state machines. This is the second state ../data/rfc/rfc6733.txt- machine in this section described below. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The default server side state machine requires the reception of ../data/rfc/rfc6733.txt: accounting records in any order and at any time, and it does not ../data/rfc/rfc6733.txt- place any standards requirement on the processing of these records. ../data/rfc/rfc6733.txt- Implementations of Diameter may perform checking, ordering, ../data/rfc/rfc6733.txt- correlation, fraud detection, and other tasks based on these records. ../data/rfc/rfc6733.txt- AVPs may need to be inspected as a part of these tasks. The tasks ../data/rfc/rfc6733.txt- can happen either immediately after record reception or in a post- ../data/rfc/rfc6733.txt- processing phase. However, as these tasks are typically application ../data/rfc/rfc6733.txt- or even policy dependent, they are not standardized by the Diameter ../data/rfc/rfc6733.txt- specifications. Applications MAY define requirements on when to ../data/rfc/rfc6733.txt: accept accounting records based on the used value of Accounting- ../data/rfc/rfc6733.txt- Realtime-Required AVP, credit-limit checks, and so on. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- However, the Diameter base protocol defines one optional server side ../data/rfc/rfc6733.txt- state machine that MAY be followed by applications that require ../data/rfc/rfc6733.txt: keeping track of the session state at the accounting server. Note ../data/rfc/rfc6733.txt- that such tracking is incompatible with the ability to sustain long ../data/rfc/rfc6733.txt- duration connectivity problems. Therefore, the use of this state ../data/rfc/rfc6733.txt- machine is recommended only in applications where the value of the ../data/rfc/rfc6733.txt: Accounting-Realtime-Required AVP is DELIVER_AND_GRANT; hence, ../data/rfc/rfc6733.txt: accounting connectivity problems are required to cause the serviced ../data/rfc/rfc6733.txt- user to be disconnected. Otherwise, records produced by the client ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 104] -- ../data/rfc/rfc6733.txt- may be lost by the server, which no longer accepts them after the ../data/rfc/rfc6733.txt- connectivity is re-established. This state machine is the third ../data/rfc/rfc6733.txt- state machine in this section. The state machine is supervised by a ../data/rfc/rfc6733.txt- supervision session timer Ts, whose value should be reasonably higher ../data/rfc/rfc6733.txt- than the Acct_Interim_Interval value. Ts MAY be set to two times the ../data/rfc/rfc6733.txt: value of the Acct_Interim_Interval so as to avoid the accounting ../data/rfc/rfc6733.txt- session in the Diameter server to change to Idle state in case of ../data/rfc/rfc6733.txt- short transient network failure. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Any event not listed in the state machines MUST be considered as an ../data/rfc/rfc6733.txt- error condition, and a corresponding answer, if applicable, MUST be -- ../data/rfc/rfc6733.txt- In the state table, the event "Failure to send" means that the ../data/rfc/rfc6733.txt- Diameter client is unable to communicate with the desired ../data/rfc/rfc6733.txt- destination. This could be due to the peer being down, or due to the ../data/rfc/rfc6733.txt- peer sending back a transient failure or temporary protocol error ../data/rfc/rfc6733.txt- notification DIAMETER_OUT_OF_SPACE, DIAMETER_TOO_BUSY, or ../data/rfc/rfc6733.txt: DIAMETER_LOOP_DETECTED in the Result-Code AVP of the Accounting ../data/rfc/rfc6733.txt- Answer command. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The event "Failed answer" means that the Diameter client received a ../data/rfc/rfc6733.txt: non-transient failure notification in the Accounting Answer command. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Note that the action "Disconnect user/dev" MUST also have an effect ../data/rfc/rfc6733.txt- on the authorization session state table, e.g., cause the STR message ../data/rfc/rfc6733.txt- to be sent, if the given application has both authentication/ ../data/rfc/rfc6733.txt: authorization and accounting portions. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The states PendingS, PendingI, PendingL, PendingE, and PendingB stand ../data/rfc/rfc6733.txt: for pending states to wait for an answer to an accounting request ../data/rfc/rfc6733.txt- related to a Start, Interim, Stop, Event, or buffered record, ../data/rfc/rfc6733.txt- respectively. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: CLIENT, ACCOUNTING ../data/rfc/rfc6733.txt- State Event Action New State ../data/rfc/rfc6733.txt- --------------------------------------------------------------- ../data/rfc/rfc6733.txt- Idle Client or device requests Send PendingS ../data/rfc/rfc6733.txt: access accounting ../data/rfc/rfc6733.txt- start req. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Idle Client or device requests Send PendingE ../data/rfc/rfc6733.txt: a one-time service accounting ../data/rfc/rfc6733.txt- event req ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Idle Records in storage Send PendingB ../data/rfc/rfc6733.txt- record ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 105] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingS Successful accounting Open ../data/rfc/rfc6733.txt- start answer received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingS Failure to send and buffer Store Open ../data/rfc/rfc6733.txt- space available and real time Start ../data/rfc/rfc6733.txt- not equal to DELIVER_AND_GRANT Record -- ../data/rfc/rfc6733.txt- PendingS Failure to send and no Disconnect Idle ../data/rfc/rfc6733.txt- buffer space available and user/dev ../data/rfc/rfc6733.txt- real time not equal to ../data/rfc/rfc6733.txt- GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingS Failed accounting start answer Open ../data/rfc/rfc6733.txt- received and real time equal ../data/rfc/rfc6733.txt- to GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingS Failed accounting start answer Disconnect Idle ../data/rfc/rfc6733.txt- received and real time not user/dev ../data/rfc/rfc6733.txt- equal to GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingS User service terminated Store PendingS ../data/rfc/rfc6733.txt- stop ../data/rfc/rfc6733.txt- record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Open Interim interval elapses Send PendingI ../data/rfc/rfc6733.txt: accounting ../data/rfc/rfc6733.txt- interim ../data/rfc/rfc6733.txt- record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Open User service terminated Send PendingL ../data/rfc/rfc6733.txt: accounting ../data/rfc/rfc6733.txt- stop req. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingI Successful accounting interim Open ../data/rfc/rfc6733.txt- answer received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingI Failure to send and (buffer Store Open ../data/rfc/rfc6733.txt- space available or old interim ../data/rfc/rfc6733.txt- record can be overwritten) record -- ../data/rfc/rfc6733.txt- PendingI Failure to send and no Disconnect Idle ../data/rfc/rfc6733.txt- buffer space available and user/dev ../data/rfc/rfc6733.txt- real time not equal to ../data/rfc/rfc6733.txt- GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingI Failed accounting interim Open ../data/rfc/rfc6733.txt- answer received and real time ../data/rfc/rfc6733.txt- equal to GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingI Failed accounting interim Disconnect Idle ../data/rfc/rfc6733.txt- answer received and user/dev ../data/rfc/rfc6733.txt- real time not equal to ../data/rfc/rfc6733.txt- GRANT_AND_LOSE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingI User service terminated Store PendingI ../data/rfc/rfc6733.txt- stop ../data/rfc/rfc6733.txt- record ../data/rfc/rfc6733.txt: PendingE Successful accounting Idle ../data/rfc/rfc6733.txt- event answer received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingE Failure to send and buffer Store Idle ../data/rfc/rfc6733.txt- space available event ../data/rfc/rfc6733.txt- record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingE Failure to send and no buffer Idle ../data/rfc/rfc6733.txt- space available ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingE Failed accounting event answer Idle ../data/rfc/rfc6733.txt- received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingB Successful accounting answer Delete Idle ../data/rfc/rfc6733.txt- received record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingB Failure to send Idle ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingB Failed accounting answer Delete Idle ../data/rfc/rfc6733.txt- received record ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingL Successful accounting Idle ../data/rfc/rfc6733.txt- stop answer received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingL Failure to send and buffer Store Idle ../data/rfc/rfc6733.txt- space available stop ../data/rfc/rfc6733.txt- record -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- PendingL Failure to send and no buffer Idle ../data/rfc/rfc6733.txt- space available ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: PendingL Failed accounting stop answer Idle ../data/rfc/rfc6733.txt- received ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: SERVER, STATELESS ACCOUNTING ../data/rfc/rfc6733.txt- State Event Action New State ../data/rfc/rfc6733.txt- --------------------------------------------------------------- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting start request Send Idle ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed. start ../data/rfc/rfc6733.txt- answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting event request Send Idle ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed. event ../data/rfc/rfc6733.txt- answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Idle Interim record received Send Idle ../data/rfc/rfc6733.txt: and successfully processed. accounting ../data/rfc/rfc6733.txt- interim ../data/rfc/rfc6733.txt- answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting stop request Send Idle ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed stop answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting request received; Send Idle ../data/rfc/rfc6733.txt: no space left to store accounting ../data/rfc/rfc6733.txt- records answer; ../data/rfc/rfc6733.txt- Result-Code = ../data/rfc/rfc6733.txt- OUT_OF_ ../data/rfc/rfc6733.txt- SPACE ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 108] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: SERVER, STATEFUL ACCOUNTING ../data/rfc/rfc6733.txt- State Event Action New State ../data/rfc/rfc6733.txt- --------------------------------------------------------------- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting start request Send Open ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed. start ../data/rfc/rfc6733.txt- answer; ../data/rfc/rfc6733.txt- Start Ts ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Idle Accounting event request Send Idle ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed. event ../data/rfc/rfc6733.txt- answer ../data/rfc/rfc6733.txt: Idle Accounting request received; Send Idle ../data/rfc/rfc6733.txt: no space left to store accounting ../data/rfc/rfc6733.txt- records answer; ../data/rfc/rfc6733.txt- Result-Code = ../data/rfc/rfc6733.txt- OUT_OF_ ../data/rfc/rfc6733.txt- SPACE ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Open Interim record received Send Open ../data/rfc/rfc6733.txt: and successfully processed. accounting ../data/rfc/rfc6733.txt- interim ../data/rfc/rfc6733.txt- answer; ../data/rfc/rfc6733.txt- Restart Ts ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Open Accounting stop request Send Idle ../data/rfc/rfc6733.txt: received and successfully accounting ../data/rfc/rfc6733.txt- processed stop answer; ../data/rfc/rfc6733.txt- Stop Ts ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Open Accounting request received; Send Idle ../data/rfc/rfc6733.txt: no space left to store accounting ../data/rfc/rfc6733.txt- records answer; ../data/rfc/rfc6733.txt- Result-Code = ../data/rfc/rfc6733.txt- OUT_OF_ ../data/rfc/rfc6733.txt- SPACE; ../data/rfc/rfc6733.txt- Stop Ts -- ../data/rfc/rfc6733.txt- following the Diameter header (see Section 3). ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Session-Id MUST be globally and eternally unique, as it is meant ../data/rfc/rfc6733.txt- to uniquely identify a user session without reference to any other ../data/rfc/rfc6733.txt- information, and it may be needed to correlate historical ../data/rfc/rfc6733.txt: authentication information with accounting information. The ../data/rfc/rfc6733.txt- Session-Id includes a mandatory portion and an implementation-defined ../data/rfc/rfc6733.txt- portion; a recommended format for the implementation-defined portion ../data/rfc/rfc6733.txt- is outlined below. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Session-Id MUST begin with the sender's identity encoded in the -- ../data/rfc/rfc6733.txt- accesspoint7.example.com;1876543210;523;mobile@200.1.1.88 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Session-Id is created by the Diameter application initiating the ../data/rfc/rfc6733.txt- session, which, in most cases, is done by the client. Note that a ../data/rfc/rfc6733.txt- Session-Id MAY be used for both the authentication, authorization, ../data/rfc/rfc6733.txt: and accounting commands of a given application. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-8.9. Authorization-Lifetime AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Authorization-Lifetime AVP (AVP Code 291) is of type Unsigned32 ../data/rfc/rfc6733.txt- and contains the maximum number of seconds of service to be provided -- ../data/rfc/rfc6733.txt- When set, the STR message for this session MUST NOT include the ../data/rfc/rfc6733.txt- Destination-Host AVP. When cleared, the default value, the ../data/rfc/rfc6733.txt- Destination-Host AVP MUST be present in the STR message for this ../data/rfc/rfc6733.txt- session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: ACCOUNTING 4 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: When set, all accounting messages for this session MUST NOT ../data/rfc/rfc6733.txt- include the Destination-Host AVP. When cleared, the default ../data/rfc/rfc6733.txt- value, the Destination-Host AVP, if known, MUST be present in all ../data/rfc/rfc6733.txt: accounting messages for this session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-8.18. Session-Server-Failover AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Session-Server-Failover AVP (AVP Code 271) is of type Enumerated ../data/rfc/rfc6733.txt- and MAY be present in application-specific authorization answer -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Class AVP (AVP Code 25) is of type OctetString and is used by ../data/rfc/rfc6733.txt- Diameter servers to return state information to the access device. ../data/rfc/rfc6733.txt- When one or more Class AVPs are present in application-specific ../data/rfc/rfc6733.txt- authorization answer messages, they MUST be present in subsequent re- ../data/rfc/rfc6733.txt: authorization, session termination and accounting messages. Class ../data/rfc/rfc6733.txt- AVPs found in a re-authorization answer message override the ones ../data/rfc/rfc6733.txt- found in any previous authorization answer message. Diameter server ../data/rfc/rfc6733.txt- implementations SHOULD NOT return Class AVPs that require more than ../data/rfc/rfc6733.txt- 4096 bytes of storage on the Diameter client. A Diameter client that ../data/rfc/rfc6733.txt- receives Class AVPs whose size exceeds local available storage MUST ../data/rfc/rfc6733.txt- terminate the session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-8.21. Event-Timestamp AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Event-Timestamp (AVP Code 55) is of type Time and MAY be included ../data/rfc/rfc6733.txt: in an Accounting-Request and Accounting-Answer messages to record the ../data/rfc/rfc6733.txt- time that the reported event occurred, in seconds since January 1, ../data/rfc/rfc6733.txt- 1900 00:00 UTC. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 122] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9. Accounting ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: This accounting protocol is based on a server directed model with ../data/rfc/rfc6733.txt: capabilities for real-time delivery of accounting information. ../data/rfc/rfc6733.txt- Several fault resilience methods [RFC2975] have been built into the ../data/rfc/rfc6733.txt: protocol in order minimize loss of accounting data in various fault ../data/rfc/rfc6733.txt- situations and under different assumptions about the capabilities of ../data/rfc/rfc6733.txt- the used devices. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-9.1. Server Directed Model ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The server directed model means that the device generating the ../data/rfc/rfc6733.txt: accounting data gets information from either the authorization server ../data/rfc/rfc6733.txt: (if contacted) or the accounting server regarding the way accounting ../data/rfc/rfc6733.txt: data shall be forwarded. This information includes accounting record ../data/rfc/rfc6733.txt- timeliness requirements. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: As discussed in [RFC2975], real-time transfer of accounting records ../data/rfc/rfc6733.txt- is a requirement, such as the need to perform credit-limit checks and ../data/rfc/rfc6733.txt: fraud detection. Note that batch accounting is not a requirement, ../data/rfc/rfc6733.txt- and is therefore not supported by Diameter. Should batched ../data/rfc/rfc6733.txt: accounting be required in the future, a new Diameter application will ../data/rfc/rfc6733.txt- need to be created, or it could be handled using another protocol. ../data/rfc/rfc6733.txt: Note, however, that even if at the Diameter layer, accounting ../data/rfc/rfc6733.txt- requests are processed one by one; transport protocols used under ../data/rfc/rfc6733.txt- Diameter typically batch several requests in the same packet under ../data/rfc/rfc6733.txt- heavy traffic conditions. This may be sufficient for many ../data/rfc/rfc6733.txt- applications. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The authorization server (chain) directs the selection of proper ../data/rfc/rfc6733.txt- transfer strategy, based on its knowledge of the user and ../data/rfc/rfc6733.txt- relationships of roaming partnerships. The server (or agents) uses ../data/rfc/rfc6733.txt: the Acct-Interim-Interval and Accounting-Realtime-Required AVPs to ../data/rfc/rfc6733.txt- control the operation of the Diameter peer operating as a client. ../data/rfc/rfc6733.txt- The Acct-Interim-Interval AVP, when present, instructs the Diameter ../data/rfc/rfc6733.txt: node acting as a client to produce accounting records continuously ../data/rfc/rfc6733.txt: even during a session. Accounting-Realtime-Required AVP is used to ../data/rfc/rfc6733.txt: control the behavior of the client when the transfer of accounting ../data/rfc/rfc6733.txt- records from the Diameter client is delayed or unsuccessful. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Diameter accounting server MAY override the interim interval or ../data/rfc/rfc6733.txt- the real-time requirements by including the Acct-Interim-Interval or ../data/rfc/rfc6733.txt: Accounting-Realtime-Required AVP in the Accounting-Answer message. ../data/rfc/rfc6733.txt- When one of these AVPs is present, the latest value received SHOULD ../data/rfc/rfc6733.txt: be used in further accounting activities for the same session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-9.2. Protocol Messages ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A Diameter node that receives a successful authentication and/or ../data/rfc/rfc6733.txt- authorization message from the Diameter server SHOULD collect ../data/rfc/rfc6733.txt: accounting information for the session. The Accounting-Request ../data/rfc/rfc6733.txt: message is used to transmit the accounting information to the ../data/rfc/rfc6733.txt: Diameter server, which MUST reply with the Accounting-Answer message ../data/rfc/rfc6733.txt: to confirm reception. The Accounting-Answer message includes the ../data/rfc/rfc6733.txt- Result-Code AVP, which MAY indicate that an error was present in the ../data/rfc/rfc6733.txt: accounting message. The value of the Accounting-Realtime-Required ../data/rfc/rfc6733.txt- AVP received earlier for the session in question may indicate that ../data/rfc/rfc6733.txt: the user's session has to be terminated when a rejected Accounting- ../data/rfc/rfc6733.txt- Request message was received. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.3. Accounting Application Extension and Requirements ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Each Diameter application (e.g., NASREQ, Mobile IP) SHOULD define its ../data/rfc/rfc6733.txt: service-specific AVPs that MUST be present in the Accounting-Request ../data/rfc/rfc6733.txt: message in a section titled "Accounting AVPs". The application MUST ../data/rfc/rfc6733.txt- assume that the AVPs described in this document will be present in ../data/rfc/rfc6733.txt: all Accounting messages, so only their respective service-specific ../data/rfc/rfc6733.txt- AVPs need to be defined in that section. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Applications have the option of using one or both of the following ../data/rfc/rfc6733.txt: accounting application extension models: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Split Accounting Service ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The accounting message will carry the Application Id of the ../data/rfc/rfc6733.txt: Diameter base accounting application (see Section 2.4). ../data/rfc/rfc6733.txt: Accounting messages may be routed to Diameter nodes other than the ../data/rfc/rfc6733.txt- corresponding Diameter application. These nodes might be ../data/rfc/rfc6733.txt: centralized accounting servers that provide accounting service for ../data/rfc/rfc6733.txt- multiple different Diameter applications. These nodes MUST ../data/rfc/rfc6733.txt: advertise the Diameter base accounting Application Id during ../data/rfc/rfc6733.txt- capabilities exchange. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Coupled Accounting Service ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The accounting message will carry the Application Id of the ../data/rfc/rfc6733.txt- application that is using it. The application itself will process ../data/rfc/rfc6733.txt: the received accounting records or forward them to an accounting ../data/rfc/rfc6733.txt: server. There is no accounting application advertisement required ../data/rfc/rfc6733.txt: during capabilities exchange, and the accounting messages will be ../data/rfc/rfc6733.txt- routed the same way as any of the other application messages. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In cases where an application does not define its own accounting ../data/rfc/rfc6733.txt: service, it is preferred that the split accounting model be used. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 124] ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- loss and network faults of a temporary nature. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter peers acting as clients MUST implement the use of failover ../data/rfc/rfc6733.txt- to guard against server failures and certain network failures. ../data/rfc/rfc6733.txt- Diameter peers acting as agents or related off-line processing ../data/rfc/rfc6733.txt: systems MUST detect duplicate accounting records caused by the ../data/rfc/rfc6733.txt- sending of the same record to several servers and duplication of ../data/rfc/rfc6733.txt- messages in transit. This detection MUST be based on the inspection ../data/rfc/rfc6733.txt: of the Session-Id and Accounting-Record-Number AVP pairs. Appendix C ../data/rfc/rfc6733.txt- discusses duplicate detection needs and implementation issues. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Diameter clients MAY have non-volatile memory for the safe storage of ../data/rfc/rfc6733.txt: accounting records over reboots or extended network failures, network ../data/rfc/rfc6733.txt- partitions, and server failures. If such memory is available, the ../data/rfc/rfc6733.txt: client SHOULD store new accounting records there as soon as the ../data/rfc/rfc6733.txt- records are created and until a positive acknowledgement of their ../data/rfc/rfc6733.txt- reception from the Diameter server has been received. Upon a reboot, ../data/rfc/rfc6733.txt- the client MUST start sending the records in the non-volatile memory ../data/rfc/rfc6733.txt: to the accounting server with the appropriate modifications in ../data/rfc/rfc6733.txt- termination cause, session length, and other relevant information in ../data/rfc/rfc6733.txt- the records. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- A further application of this protocol may include AVPs to control ../data/rfc/rfc6733.txt: the maximum number of accounting records that may be stored in the ../data/rfc/rfc6733.txt- Diameter client without committing them to the non-volatile memory or ../data/rfc/rfc6733.txt- transferring them to the Diameter server. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The client SHOULD NOT remove the accounting data from any of its ../data/rfc/rfc6733.txt: memory areas before the correct Accounting-Answer has been received. ../data/rfc/rfc6733.txt- The client MAY remove the oldest, undelivered, or as yet ../data/rfc/rfc6733.txt: unacknowledged accounting data if it runs out of resources such as ../data/rfc/rfc6733.txt- memory. It is an implementation-dependent matter for the client to ../data/rfc/rfc6733.txt- accept new sessions under this condition. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.5. Accounting Records ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In all accounting records, the Session-Id AVP MUST be present; the ../data/rfc/rfc6733.txt- User-Name AVP MUST be present if it is available to the Diameter ../data/rfc/rfc6733.txt- client. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Different types of accounting records are sent depending on the ../data/rfc/rfc6733.txt- actual type of accounted service and the authorization server's ../data/rfc/rfc6733.txt: directions for interim accounting. If the accounted service is a ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- one-time event, meaning that the start and stop of the event are ../data/rfc/rfc6733.txt: simultaneous, then the Accounting-Record-Type AVP MUST be present and ../data/rfc/rfc6733.txt- set to the value EVENT_RECORD. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- If the accounted service is of a measurable length, then the AVP MUST ../data/rfc/rfc6733.txt- use the values START_RECORD, STOP_RECORD, and possibly, ../data/rfc/rfc6733.txt- INTERIM_RECORD. If the authorization server has not directed interim ../data/rfc/rfc6733.txt: accounting to be enabled for the session, two accounting records MUST ../data/rfc/rfc6733.txt- be generated for each service of type session. When the initial ../data/rfc/rfc6733.txt: Accounting-Request for a given session is sent, the Accounting- ../data/rfc/rfc6733.txt- Record-Type AVP MUST be set to the value START_RECORD. When the last ../data/rfc/rfc6733.txt: Accounting-Request is sent, the value MUST be STOP_RECORD. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: If the authorization server has directed interim accounting to be ../data/rfc/rfc6733.txt- enabled, the Diameter client MUST produce additional records between ../data/rfc/rfc6733.txt- the START_RECORD and STOP_RECORD, marked INTERIM_RECORD. The ../data/rfc/rfc6733.txt- production of these records is directed by Acct-Interim-Interval as ../data/rfc/rfc6733.txt- well as any re-authentication or re-authorization of the session. ../data/rfc/rfc6733.txt: The Diameter client MUST overwrite any previous interim accounting ../data/rfc/rfc6733.txt- records that are locally stored for delivery, if a new record is ../data/rfc/rfc6733.txt- being generated for the same session. This ensures that only one ../data/rfc/rfc6733.txt- pending interim record can exist on an access device for any given ../data/rfc/rfc6733.txt- session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: A particular value of Accounting-Sub-Session-Id MUST appear only in ../data/rfc/rfc6733.txt: one sequence of accounting records from a Diameter client, except for ../data/rfc/rfc6733.txt- the purposes of retransmission. The one sequence that is sent MUST ../data/rfc/rfc6733.txt: be either one record with Accounting-Record-Type AVP set to the value ../data/rfc/rfc6733.txt- EVENT_RECORD or several records starting with one having the value ../data/rfc/rfc6733.txt- START_RECORD, followed by zero or more INTERIM_RECORDs and a single ../data/rfc/rfc6733.txt- STOP_RECORD. A particular Diameter application specification MUST ../data/rfc/rfc6733.txt- define the type of sequences that MUST be used. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.6. Correlation of Accounting Records ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: If an application uses accounting messages, it can correlate ../data/rfc/rfc6733.txt: accounting records with a specific application session by using the ../data/rfc/rfc6733.txt: Session-Id of the particular application session in the accounting ../data/rfc/rfc6733.txt: messages. Accounting messages MAY also use a different Session-Id ../data/rfc/rfc6733.txt- from that of the application sessions, in which case, other session- ../data/rfc/rfc6733.txt- related information is needed to perform correlation. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In cases where an application requires multiple accounting sub- ../data/rfc/rfc6733.txt: sessions, an Accounting-Sub-Session-Id AVP is used to differentiate ../data/rfc/rfc6733.txt- each sub-session. The Session-Id would remain constant for all sub- ../data/rfc/rfc6733.txt- sessions and is used to correlate all the sub-sessions to a ../data/rfc/rfc6733.txt- particular application session. Note that receiving a STOP_RECORD ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 126] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: with no Accounting-Sub-Session-Id AVP when sub-sessions were ../data/rfc/rfc6733.txt- originally used in the START_RECORD messages implies that all sub- ../data/rfc/rfc6733.txt- sessions are terminated. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- There are also cases where an application needs to correlate multiple ../data/rfc/rfc6733.txt: application sessions into a single accounting record; the accounting ../data/rfc/rfc6733.txt- record may span multiple different Diameter applications and sessions ../data/rfc/rfc6733.txt- used by the same user at a given time. In such cases, the Acct- ../data/rfc/rfc6733.txt- Multi-Session-Id AVP is used. The Acct-Multi-Session-Id AVP SHOULD ../data/rfc/rfc6733.txt- be signaled by the server to the access device (typically, during ../data/rfc/rfc6733.txt- authorization) when it determines that a request belongs to an ../data/rfc/rfc6733.txt- existing session. The access device MUST then include the Acct- ../data/rfc/rfc6733.txt: Multi-Session-Id AVP in all subsequent accounting messages. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Acct-Multi-Session-Id AVP MAY include the value of the original ../data/rfc/rfc6733.txt- Session-Id. Its contents are implementation specific, but the MUST ../data/rfc/rfc6733.txt- be globally unique across other Acct-Multi-Session-Ids and MUST NOT ../data/rfc/rfc6733.txt- change during the life of a session. -- ../data/rfc/rfc6733.txt- session that is being accounted, and it MAY define the concept of a ../data/rfc/rfc6733.txt- multi-session. For instance, the NASREQ DIAMETER application treats ../data/rfc/rfc6733.txt- a single PPP connection to a Network Access Server as one session and ../data/rfc/rfc6733.txt- a set of Multilink PPP sessions as one multi-session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.7. Accounting Command Codes ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- This section defines Command Code values that MUST be supported by ../data/rfc/rfc6733.txt: all Diameter implementations that provide accounting services. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.7.1. Accounting-Request ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Request (ACR) command, indicated by the Command Code ../data/rfc/rfc6733.txt- field set to 271 and the Command Flags' 'R' bit set, is sent by a ../data/rfc/rfc6733.txt: Diameter node, acting as a client, in order to exchange accounting ../data/rfc/rfc6733.txt- information with a peer. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In addition to the AVPs listed below, Accounting-Request messages ../data/rfc/rfc6733.txt: SHOULD include service-specific accounting AVPs. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- <ACR> ::= < Diameter Header: 271, REQ, PXY > ../data/rfc/rfc6733.txt- < Session-Id > ../data/rfc/rfc6733.txt- { Origin-Host } ../data/rfc/rfc6733.txt- { Origin-Realm } ../data/rfc/rfc6733.txt- { Destination-Realm } ../data/rfc/rfc6733.txt: { Accounting-Record-Type } ../data/rfc/rfc6733.txt: { Accounting-Record-Number } ../data/rfc/rfc6733.txt- [ Acct-Application-Id ] ../data/rfc/rfc6733.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc6733.txt- [ User-Name ] ../data/rfc/rfc6733.txt- [ Destination-Host ] ../data/rfc/rfc6733.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc6733.txt- [ Acct-Session-Id ] ../data/rfc/rfc6733.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc6733.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc6733.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc6733.txt- [ Origin-State-Id ] ../data/rfc/rfc6733.txt- [ Event-Timestamp ] ../data/rfc/rfc6733.txt- * [ Proxy-Info ] ../data/rfc/rfc6733.txt- * [ Route-Record ] ../data/rfc/rfc6733.txt- * [ AVP ] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.7.2. Accounting-Answer ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Answer (ACA) command, indicated by the Command Code ../data/rfc/rfc6733.txt- field set to 271 and the Command Flags' 'R' bit cleared, is used to ../data/rfc/rfc6733.txt: acknowledge an Accounting-Request command. The Accounting-Answer ../data/rfc/rfc6733.txt- command contains the same Session-Id as the corresponding request. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- Only the target Diameter server, known as the home Diameter server, ../data/rfc/rfc6733.txt: SHOULD respond with the Accounting-Answer command. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In addition to the AVPs listed below, Accounting-Answer messages ../data/rfc/rfc6733.txt: SHOULD include service-specific accounting AVPs. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- <ACA> ::= < Diameter Header: 271, PXY > ../data/rfc/rfc6733.txt- < Session-Id > ../data/rfc/rfc6733.txt- { Result-Code } ../data/rfc/rfc6733.txt- { Origin-Host } ../data/rfc/rfc6733.txt- { Origin-Realm } ../data/rfc/rfc6733.txt: { Accounting-Record-Type } ../data/rfc/rfc6733.txt: { Accounting-Record-Number } ../data/rfc/rfc6733.txt- [ Acct-Application-Id ] ../data/rfc/rfc6733.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc6733.txt- [ User-Name ] ../data/rfc/rfc6733.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc6733.txt- [ Acct-Session-Id ] ../data/rfc/rfc6733.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc6733.txt- [ Error-Message ] ../data/rfc/rfc6733.txt- [ Error-Reporting-Host ] ../data/rfc/rfc6733.txt- [ Failed-AVP ] ../data/rfc/rfc6733.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc6733.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc6733.txt- [ Origin-State-Id ] ../data/rfc/rfc6733.txt- [ Event-Timestamp ] ../data/rfc/rfc6733.txt- * [ Proxy-Info ] ../data/rfc/rfc6733.txt- * [ AVP ] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.8. Accounting AVPs ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: This section contains AVPs that describe accounting usage information ../data/rfc/rfc6733.txt- related to a specific session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.8.1. Accounting-Record-Type AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Record-Type AVP (AVP Code 480) is of type Enumerated ../data/rfc/rfc6733.txt: and contains the type of accounting record being sent. The following ../data/rfc/rfc6733.txt: values are currently defined for the Accounting-Record-Type AVP: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- EVENT_RECORD 1 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: An Accounting Event Record is used to indicate that a one-time ../data/rfc/rfc6733.txt- event has occurred (meaning that the start and end of the event ../data/rfc/rfc6733.txt- are simultaneous). This record contains all information relevant ../data/rfc/rfc6733.txt- to the service, and it is the only record of the service. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- START_RECORD 2 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: Accounting Start, Interim, and Stop Records are used to indicate ../data/rfc/rfc6733.txt- that a service of a measurable length has been given. An ../data/rfc/rfc6733.txt: Accounting Start Record is used to initiate an accounting session ../data/rfc/rfc6733.txt: and contains accounting information that is relevant to the ../data/rfc/rfc6733.txt- initiation of the session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- INTERIM_RECORD 3 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: An Interim Accounting Record contains cumulative accounting ../data/rfc/rfc6733.txt: information for an existing accounting session. Interim ../data/rfc/rfc6733.txt: Accounting Records SHOULD be sent every time a re-authentication ../data/rfc/rfc6733.txt- or re-authorization occurs. Further, additional interim record ../data/rfc/rfc6733.txt- triggers MAY be defined by application-specific Diameter ../data/rfc/rfc6733.txt- applications. The selection of whether to use INTERIM_RECORD ../data/rfc/rfc6733.txt- records is done by the Acct-Interim-Interval AVP. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- STOP_RECORD 4 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: An Accounting Stop Record is sent to terminate an accounting ../data/rfc/rfc6733.txt: session and contains cumulative accounting information relevant to ../data/rfc/rfc6733.txt- the existing session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-9.8.2. Acct-Interim-Interval AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Acct-Interim-Interval AVP (AVP Code 85) is of type Unsigned32 and ../data/rfc/rfc6733.txt- is sent from the Diameter home authorization server to the Diameter ../data/rfc/rfc6733.txt- client. The client uses information in this AVP to decide how and ../data/rfc/rfc6733.txt: when to produce accounting records. With different values in this ../data/rfc/rfc6733.txt: AVP, service sessions can result in one, two, or two+N accounting ../data/rfc/rfc6733.txt- records, based on the needs of the home organization. The following ../data/rfc/rfc6733.txt: accounting record production behavior is directed by the inclusion of ../data/rfc/rfc6733.txt- this AVP: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- 1. The omission of the Acct-Interim-Interval AVP or its inclusion ../data/rfc/rfc6733.txt- with Value field set to 0 means that EVENT_RECORD, START_RECORD, ../data/rfc/rfc6733.txt- and STOP_RECORD are produced, as appropriate for the service. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- 2. The inclusion of the AVP with Value field set to a non-zero value ../data/rfc/rfc6733.txt- means that INTERIM_RECORD records MUST be produced between the ../data/rfc/rfc6733.txt- START_RECORD and STOP_RECORD records. The Value field of this ../data/rfc/rfc6733.txt- AVP is the nominal interval between these records in seconds. ../data/rfc/rfc6733.txt: The Diameter node that originates the accounting information, ../data/rfc/rfc6733.txt- known as the client, MUST produce the first INTERIM_RECORD record ../data/rfc/rfc6733.txt- roughly at the time when this nominal interval has elapsed from ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- the START_RECORD, the next one again as the interval has elapsed ../data/rfc/rfc6733.txt- once more, and so on until the session ends and a STOP_RECORD ../data/rfc/rfc6733.txt- record is produced. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The client MUST ensure that the interim record production times ../data/rfc/rfc6733.txt: are randomized so that large accounting message storms are not ../data/rfc/rfc6733.txt- created either among records or around a common service start ../data/rfc/rfc6733.txt- time. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.8.3. Accounting-Record-Number AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Record-Number AVP (AVP Code 485) is of type Unsigned32 ../data/rfc/rfc6733.txt- and identifies this record within one session. As Session-Id AVPs ../data/rfc/rfc6733.txt: are globally unique, the combination of Session-Id and Accounting- ../data/rfc/rfc6733.txt- Record-Number AVPs is also globally unique and can be used in ../data/rfc/rfc6733.txt: matching accounting records with confirmations. An easy way to ../data/rfc/rfc6733.txt- produce unique numbers is to set the value to 0 for records of type ../data/rfc/rfc6733.txt- EVENT_RECORD and START_RECORD and set the value to 1 for the first ../data/rfc/rfc6733.txt- INTERIM_RECORD, 2 for the second, and so on until the value for ../data/rfc/rfc6733.txt- STOP_RECORD is one more than for the last INTERIM_RECORD. ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-9.8.5. Acct-Multi-Session-Id AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The Acct-Multi-Session-Id AVP (AVP Code 50) is of type UTF8String, ../data/rfc/rfc6733.txt- following the format specified in Section 8.8. The Acct-Multi- ../data/rfc/rfc6733.txt: Session-Id AVP is used to link multiple related accounting sessions, ../data/rfc/rfc6733.txt- where each session would have a unique Session-Id but the same Acct- ../data/rfc/rfc6733.txt- Multi-Session-Id AVP. This AVP MAY be returned by the Diameter ../data/rfc/rfc6733.txt- server in an authorization answer, and it MUST be used in all ../data/rfc/rfc6733.txt: accounting messages for the given session. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.8.6. Accounting-Sub-Session-Id AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Sub-Session-Id AVP (AVP Code 287) is of type ../data/rfc/rfc6733.txt: Unsigned64 and contains the accounting sub-session identifier. The ../data/rfc/rfc6733.txt- combination of the Session-Id and this AVP MUST be unique per sub- ../data/rfc/rfc6733.txt- session, and the value of this AVP MUST be monotonically increased by ../data/rfc/rfc6733.txt- one for all new sub-sessions. The absence of this AVP implies no ../data/rfc/rfc6733.txt: sub-sessions are in use, with the exception of an Accounting-Request ../data/rfc/rfc6733.txt: whose Accounting-Record-Type is set to STOP_RECORD. A STOP_RECORD ../data/rfc/rfc6733.txt: message with no Accounting-Sub-Session-Id AVP present will signal the ../data/rfc/rfc6733.txt- termination of all sub-sessions for a given Session-Id. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 131] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:9.8.7. Accounting-Realtime-Required AVP ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The Accounting-Realtime-Required AVP (AVP Code 483) is of type ../data/rfc/rfc6733.txt- Enumerated and is sent from the Diameter home authorization server to ../data/rfc/rfc6733.txt: the Diameter client or in the Accounting-Answer from the accounting ../data/rfc/rfc6733.txt- server. The client uses information in this AVP to decide what to do ../data/rfc/rfc6733.txt: if the sending of accounting records to the accounting server has ../data/rfc/rfc6733.txt- been temporarily prevented due to, for instance, a network problem. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- DELIVER_AND_GRANT 1 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The AVP with Value field set to DELIVER_AND_GRANT means that the ../data/rfc/rfc6733.txt- service MUST only be granted as long as there is a connection to ../data/rfc/rfc6733.txt: an accounting server. Note that the set of alternative accounting ../data/rfc/rfc6733.txt- servers are treated as one server in this sense. Having to move ../data/rfc/rfc6733.txt: the accounting record stream to a backup server is not a reason to ../data/rfc/rfc6733.txt- discontinue the service to the user. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- GRANT_AND_STORE 2 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The AVP with Value field set to GRANT_AND_STORE means that service -- ../data/rfc/rfc6733.txt- 1+ At least one instance of the AVP MUST be present in the ../data/rfc/rfc6733.txt- message. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-10.1. Base Protocol Command AVP Table ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: The table in this section is limited to the non-Accounting Command ../data/rfc/rfc6733.txt- Codes defined in this specification. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- +-----------------------------------------------+ ../data/rfc/rfc6733.txt- | Command Code | ../data/rfc/rfc6733.txt- +---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc6733.txt- Attribute Name |CER|CEA|DPR|DPA|DWR|DWA|RAR|RAA|ASR|ASA|STR|STA| ../data/rfc/rfc6733.txt- --------------------+---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc6733.txt- Acct-Interim- |0 |0 |0 |0 |0 |0 |0-1|0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Interval | | | | | | | | | | | | | ../data/rfc/rfc6733.txt: Accounting-Realtime-|0 |0 |0 |0 |0 |0 |0-1|0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Required | | | | | | | | | | | | | ../data/rfc/rfc6733.txt- Acct-Application-Id |0+ |0+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Auth-Application-Id |0+ |0+ |0 |0 |0 |0 |1 |0 |1 |0 |1 |0 | ../data/rfc/rfc6733.txt- Auth-Grace-Period |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Auth-Request-Type |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | -- ../data/rfc/rfc6733.txt- Vendor-Id |1 |1 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Vendor-Specific- |0+ |0+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc6733.txt- Application-Id | | | | | | | | | | | | | ../data/rfc/rfc6733.txt- --------------------+---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:10.2. Accounting AVP Table ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- The table in this section is used to represent which AVPs defined in ../data/rfc/rfc6733.txt: this document are to be present in the Accounting messages. These ../data/rfc/rfc6733.txt- AVP occurrence requirements are guidelines, which may be expanded, ../data/rfc/rfc6733.txt- and/or overridden by application-specific requirements in the ../data/rfc/rfc6733.txt- Diameter applications documents. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- +-----+-----+ ../data/rfc/rfc6733.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc6733.txt- ------------------------------+-----+-----+ ../data/rfc/rfc6733.txt- Acct-Interim-Interval | 0-1 | 0-1 | ../data/rfc/rfc6733.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc6733.txt: Accounting-Record-Number | 1 | 1 | ../data/rfc/rfc6733.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc6733.txt- Acct-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc6733.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc6733.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc6733.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc6733.txt- Auth-Application-Id | 0 | 0 | ../data/rfc/rfc6733.txt- Class | 0+ | 0+ | ../data/rfc/rfc6733.txt- Destination-Host | 0-1 | 0 | ../data/rfc/rfc6733.txt- Destination-Realm | 1 | 0 | -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-11.3.2. Result-Code AVP Values ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- New values are available for assignment via IETF Review [RFC5226]. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:11.3.3. Accounting-Record-Type AVP Values ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- New values are available for assignment via IETF Review [RFC5226]. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-11.3.4. Termination-Cause AVP Values ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-11.3.11. Re-Auth-Request-Type AVP Values ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- New values are available for assignment via IETF Review [RFC5226]. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt:11.3.12. Accounting-Realtime-Required AVP Values ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- New values are available for assignment via IETF Review [RFC5226]. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-11.3.13. Inband-Security-Id AVP (code 299) ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- keys. The following AVPs defined in this document are considered to ../data/rfc/rfc6733.txt- be security-sensitive: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Acct-Interim-Interval ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: o Accounting-Realtime-Required ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Acct-Multi-Session-Id ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: o Accounting-Record-Number ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: o Accounting-Record-Type ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: o Accounting-Session-Id ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: o Accounting-Sub-Session-Id ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Class ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc6733.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO ../data/rfc/rfc6733.txt- 10646", STD 63, RFC 3629, November 2003. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC3958] Daigle, L. and A. Newton, "Domain-Based Application -- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6733.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc6733.txt- RFC 2865, June 2000. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS ../data/rfc/rfc6733.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC2881] Mitton, D. and M. Beadles, "Network Access Server ../data/rfc/rfc6733.txt- Requirements Next Generation (NASREQNG) NAS Model", ../data/rfc/rfc6733.txt- RFC 2881, July 2000. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction ../data/rfc/rfc6733.txt: to Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- [RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, ../data/rfc/rfc6733.txt- P., Shiino, H., Walsh, P., Zorn, G., Dommety, G., ../data/rfc/rfc6733.txt- Perkins, C., Patil, B., Mitton, D., Manning, S., ../data/rfc/rfc6733.txt- Beadles, M., Chen, X., Sivalingham, S., Hameed, A., -- ../data/rfc/rfc6733.txt- This indicates that the server supports TCP available at the returned ../data/rfc/rfc6733.txt- host names. ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-Appendix C. Duplicate Detection ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: As described in Section 9.4, accounting record duplicate detection is ../data/rfc/rfc6733.txt- based on session identifiers. Duplicates can appear for various ../data/rfc/rfc6733.txt- reasons: ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- o Failover to an alternate server. Where close to real-time ../data/rfc/rfc6733.txt- performance is required, failover thresholds need to be kept low. -- ../data/rfc/rfc6733.txt-Fajardo, et al. Standards Track [Page 149] ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt-RFC 6733 Diameter Base Protocol October 2012 ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: it has already tried to send the accounting records in its non- ../data/rfc/rfc6733.txt- volatile memory before the reboot occurred. Diameter servers MAY use ../data/rfc/rfc6733.txt- the T flag as an aid when processing requests and detecting duplicate ../data/rfc/rfc6733.txt- messages. However, servers that do this MUST ensure that duplicates ../data/rfc/rfc6733.txt- are found even when the first transmitted request arrives at the ../data/rfc/rfc6733.txt- server after the retransmitted request. It can be used only in cases -- ../data/rfc/rfc6733.txt- the request is sent again, (e.g., due to a failover to an alternate ../data/rfc/rfc6733.txt- peer, due to a recovered primary peer or due to a client re-sending a ../data/rfc/rfc6733.txt- stored record from non-volatile memory such as after reboot of a ../data/rfc/rfc6733.txt- client or agent). ../data/rfc/rfc6733.txt- ../data/rfc/rfc6733.txt: In some cases, the Diameter accounting server can delay the duplicate ../data/rfc/rfc6733.txt: detection and accounting record processing until a post-processing ../data/rfc/rfc6733.txt- phase takes place. At that time records are likely to be sorted ../data/rfc/rfc6733.txt- according to the included User-Name and duplicate elimination is easy ../data/rfc/rfc6733.txt- in this case. In other situations, it may be necessary to perform ../data/rfc/rfc6733.txt- real-time duplicate detection, such as when credit limits are imposed ../data/rfc/rfc6733.txt- or real-time fraud detection is desired. -- ../data/rfc/rfc6733.txt- increases as the failover interval is decreased. In order to be ../data/rfc/rfc6733.txt- able to detect duplicates that are out of order, the Diameter ../data/rfc/rfc6733.txt- server should use backward and forward time windows when ../data/rfc/rfc6733.txt- performing duplicate checking for the T-flag-marked request. For ../data/rfc/rfc6733.txt- example, in order to allow time for the original record to exit ../data/rfc/rfc6733.txt: the network and be recorded by the accounting server, the Diameter ../data/rfc/rfc6733.txt- server can delay processing records with the T flag set until a ../data/rfc/rfc6733.txt- time period TIME_WAIT + RECORD_PROCESSING_TIME has elapsed after ../data/rfc/rfc6733.txt- the closing of the original transport connection. After this time ../data/rfc/rfc6733.txt- period, it may check the T-flag-marked records against the ../data/rfc/rfc6733.txt- database with relative assurance that the original records, if -- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-1. Introduction ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- The RADIUS protocol [RFC2865] is a widely deployed authentication and ../data/rfc/rfc6614.txt: authorization protocol. The supplementary RADIUS Accounting ../data/rfc/rfc6614.txt: specification [RFC2866] provides accounting mechanisms, thus ../data/rfc/rfc6614.txt: delivering a full Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6614.txt- solution. However, RADIUS is experiencing several shortcomings, such ../data/rfc/rfc6614.txt- as its dependency on the unreliable transport protocol UDP and the ../data/rfc/rfc6614.txt- lack of security for large parts of its packet payload. RADIUS ../data/rfc/rfc6614.txt- security is based on the MD5 algorithm, which has been proven to be ../data/rfc/rfc6614.txt- insecure. -- ../data/rfc/rfc6614.txt-2. Normative: Transport Layer Security for RADIUS/TCP ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-2.1. TCP port and Packet Types ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- The default destination port number for RADIUS over TLS is TCP/2083. ../data/rfc/rfc6614.txt: There are no separate ports for authentication, accounting, and ../data/rfc/rfc6614.txt- dynamic authorization changes. The source port is arbitrary. See ../data/rfc/rfc6614.txt- Section 3.4 for considerations regarding the separation of ../data/rfc/rfc6614.txt: authentication, accounting, and dynamic authorization traffic. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-2.2. TLS Negotiation ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- RADIUS/TLS has no notion of negotiating TLS in an established ../data/rfc/rfc6614.txt- connection. Servers and clients need to be preconfigured to use -- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o TLS Identifier ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-2.5. RADIUS Datagrams ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: Authentication, Authorization, and Accounting packets are sent ../data/rfc/rfc6614.txt- according to the following rules: ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- RADIUS/TLS clients transmit the same packet types on the connection ../data/rfc/rfc6614.txt- they initiated as a RADIUS/UDP client would (see Section 3.4 (3) and ../data/rfc/rfc6614.txt- (4)). For example, they send -- ../data/rfc/rfc6614.txt-RFC 6614 RADIUS over TLS May 2012 ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Access-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: o Accounting-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Status-Server ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Disconnect-ACK ../data/rfc/rfc6614.txt- -- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- and they receive ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Access-Accept ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: o Accounting-Response ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Disconnect-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o ... ../data/rfc/rfc6614.txt- -- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Access-Accept ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Access-Reject ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: o Accounting-Response ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Disconnect-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o ... ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- and they receive ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Access-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: o Accounting-Request ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Status-Server ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- o Disconnect-ACK ../data/rfc/rfc6614.txt- -- ../data/rfc/rfc6614.txt- Request' is received, a RADIUS/TLS server needs to respond with a ../data/rfc/rfc6614.txt- 'CoA-NAK' or 'Disconnect-NAK', respectively. The NAK SHOULD ../data/rfc/rfc6614.txt- contain an attribute Error-Cause with the value 406 ("Unsupported ../data/rfc/rfc6614.txt- Extension"); see [RFC5176] for details. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: o When an unwanted packet of type 'Accounting-Request' is received, ../data/rfc/rfc6614.txt: the RADIUS/TLS server SHOULD reply with an Accounting-Response ../data/rfc/rfc6614.txt- containing an Error-Cause attribute with value 406 "Unsupported ../data/rfc/rfc6614.txt: Extension" as defined in [RFC5176]. A RADIUS/TLS accounting ../data/rfc/rfc6614.txt: client receiving such an Accounting-Response SHOULD log the error ../data/rfc/rfc6614.txt: and stop sending Accounting-Request packets. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-3. Informative: Design Decisions ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- This section explains the design decisions that led to the rules ../data/rfc/rfc6614.txt- defined in the previous section. -- ../data/rfc/rfc6614.txt- longer be detected by a differing datagram boundary. See ../data/rfc/rfc6614.txt- Section 2.6.4 of [RFC6613] for more details. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- (2) Within RADIUS/UDP [RFC2865], a shared secret is used for hiding ../data/rfc/rfc6614.txt- attributes such as User-Password, as well as in computation of ../data/rfc/rfc6614.txt: the Response Authenticator. In RADIUS accounting [RFC2866], the ../data/rfc/rfc6614.txt- shared secret is used in computation of both the Request ../data/rfc/rfc6614.txt- Authenticator and the Response Authenticator. Since TLS ../data/rfc/rfc6614.txt- provides integrity protection and encryption sufficient to ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- -- ../data/rfc/rfc6614.txt- necessary to configure a RADIUS shared secret. The use of a ../data/rfc/rfc6614.txt- fixed string for the obsolete shared secret eliminates possible ../data/rfc/rfc6614.txt- node misconfigurations. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- (3) RADIUS/UDP [RFC2865] uses different UDP ports for ../data/rfc/rfc6614.txt: authentication, accounting, and dynamic authorization changes. ../data/rfc/rfc6614.txt- RADIUS/TLS allocates a single port for all RADIUS packet types. ../data/rfc/rfc6614.txt- Nevertheless, in RADIUS/TLS, the notion of a client that sends ../data/rfc/rfc6614.txt- authentication requests and processes replies associated with ../data/rfc/rfc6614.txt- its users' sessions and the notion of a server that receives ../data/rfc/rfc6614.txt- requests, processes them, and sends the appropriate replies is -- ../data/rfc/rfc6614.txt- an implementation to actually process these packet types; it is ../data/rfc/rfc6614.txt- only required that the NAK be sent as defined above. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- (5) RADIUS/UDP [RFC2865] uses negative ICMP responses to a newly ../data/rfc/rfc6614.txt- allocated UDP port to signal that a peer RADIUS server does not ../data/rfc/rfc6614.txt: support the reception and processing of RADIUS Accounting ../data/rfc/rfc6614.txt: packets. There is no RADIUS datagram to signal an Accounting ../data/rfc/rfc6614.txt: NAK. Clients may be misconfigured for sending Accounting ../data/rfc/rfc6614.txt- packets to a RADIUS/TLS server that does not wish to process ../data/rfc/rfc6614.txt: their Accounting packet. To prevent a regression of ../data/rfc/rfc6614.txt: detectability of this situation, the Accounting-Response + ../data/rfc/rfc6614.txt- Error-Cause signaling was introduced. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt-4. Compatibility with Other RADIUS Transports ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- The IETF defines multiple alternative transports to the classic UDP -- ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc6614.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc6614.txt- RFC 2865, June 2000. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites ../data/rfc/rfc6614.txt- for Transport Layer Security (TLS)", RFC 4279, ../data/rfc/rfc6614.txt- December 2005. ../data/rfc/rfc6614.txt- -- ../data/rfc/rfc6614.txt- [RADEXT-DTLS] ../data/rfc/rfc6614.txt- DeKok, A., "DTLS as a Transport Layer for RADIUS", Work ../data/rfc/rfc6614.txt- in Progress, October 2010. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and ../data/rfc/rfc6614.txt: Accounting (AAA) Transport Profile", RFC 3539, June 2003. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. ../data/rfc/rfc6614.txt- Arkko, "Diameter Base Protocol", RFC 3588, September 2003. ../data/rfc/rfc6614.txt- ../data/rfc/rfc6614.txt- [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic -- ../data/rfc/rfc8374.txt- [BGPsec-Initial]. However, the ordering of these validation- ../data/rfc/rfc8374.txt- processing steps is not a normative part of the BGPsec specification. ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt- 1. Verify that the signed update is syntactically correct. For ../data/rfc/rfc8374.txt- example, check to see if the number of signatures matches the ../data/rfc/rfc8374.txt: number of ASes in the AS path (after duly accounting for AS ../data/rfc/rfc8374.txt- prepending). ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt- 2. Verify that the origin AS is authorized to advertise the prefix ../data/rfc/rfc8374.txt- in question. This verification is based on data from ROAs and ../data/rfc/rfc8374.txt- does not require any cryptographic operations. -- ../data/rfc/rfc8374.txt- discussions. ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt- E1 Abnormalities where a peer (i.e., the preceding AS) should ../data/rfc/rfc8374.txt- definitely not have propagated to a receiving eBGPsec router. ../data/rfc/rfc8374.txt- For example, (A) the number of signatures does not match the ../data/rfc/rfc8374.txt: number of ASes in the AS path (after accounting for AS ../data/rfc/rfc8374.txt- prepending), (B) there is an AS_SET in the received update and ../data/rfc/rfc8374.txt- the update has signatures, or (C) other syntactic errors with ../data/rfc/rfc8374.txt- signatures have occurred. ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt- Reaction: See Section 8.5. -- ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt-8.5.1. Decision ../data/rfc/rfc8374.txt- ../data/rfc/rfc8374.txt- If there are syntactic-error conditions such as (A) AS_SET and ../data/rfc/rfc8374.txt- BGPsec_PATH both appearing in an update, (B) the number of signatures ../data/rfc/rfc8374.txt: not matching the number of ASes (after accounting for any AS ../data/rfc/rfc8374.txt- prepending), or (C) a parsing issue occurring with the BGPsec_PATH ../data/rfc/rfc8374.txt- attribute, then the update (with the signatures stripped) will still ../data/rfc/rfc8374.txt- be considered in the best-path-selection algorithm. (**Note: This is ../data/rfc/rfc8374.txt- not true in RFC 8205**.) If the update is selected as the best path, ../data/rfc/rfc8374.txt- then the update will be propagated unsigned. The error condition -- ../data/rfc/rfc4089.txt-O>> responsibilities of the IETF Administrative Oversight Committee ../data/rfc/rfc4089.txt-O>> (IAOC), an IETF-selected body responsible for overseeing the ../data/rfc/rfc4089.txt-O>> IASA. Like the Internet Architecture Board (IAB), the IASA would ../data/rfc/rfc4089.txt-O>> be housed within the ISOC legal umbrella. The BCP would also ../data/rfc/rfc4089.txt-O>> describe ISOC's responsibilities within this scenario, including ../data/rfc/rfc4089.txt:O>> requirements for financial accounting and transparency. A draft ../data/rfc/rfc4089.txt-O>> of this BCP is included in the next section of this document. ../data/rfc/rfc4089.txt-O>> ../data/rfc/rfc4089.txt-O>> Scenario O allows us to establish IETF control over our ../data/rfc/rfc4089.txt-O>> administrative support functions in terms of determining that ../data/rfc/rfc4089.txt-O>> they meet the community's needs, and adjusting them from time to -- ../data/rfc/rfc4089.txt-O>> process. ../data/rfc/rfc4089.txt-O>> ../data/rfc/rfc4089.txt-O>> ../data/rfc/rfc4089.txt-O>> November 1 Final budget to the ISOC Board for approval. ../data/rfc/rfc4089.txt-O>> ../data/rfc/rfc4089.txt:O>> The IAD will provide monthly accountings of expenses, and will ../data/rfc/rfc4089.txt-O>> update forecasts of expenditures quarterly. This may necessitate ../data/rfc/rfc4089.txt-O>> the adjustment of the IASA budget. The revised budget will need ../data/rfc/rfc4089.txt-O>> to be approved by the IAOC and ISOC Board of Trustees. ../data/rfc/rfc4089.txt-O>> ../data/rfc/rfc4089.txt-O>> 2.4 Relationship of the IAOC to Existing IETF Leadership -- ../data/rfc/rfc4675.txt- unsupported attribute. It is recommended that an Error-Cause ../data/rfc/rfc4675.txt- attribute with the value set to "Unsupported Attribute" (401) be ../data/rfc/rfc4675.txt- included in the CoA-NAK. As noted in [RFC3576], authorization ../data/rfc/rfc4675.txt- changes are atomic so that this situation does not result in session ../data/rfc/rfc4675.txt- termination and the preexisting configuration remains unchanged. As ../data/rfc/rfc4675.txt: a result, no accounting packets should be generated. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt-2. Attributes ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt-2.1. Egress-VLANID ../data/rfc/rfc4675.txt- -- ../data/rfc/rfc4675.txt- VLANID included in tunnel attributes. To configure an untagged ../data/rfc/rfc4675.txt- VLAN for both ingress and egress, the tunnel attributes of ../data/rfc/rfc4675.txt- [RFC3580] MUST be used. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- Multiple Egress-VLANID attributes MAY be included in Access- ../data/rfc/rfc4675.txt: Request, Access-Accept, CoA-Request, or Accounting-Request ../data/rfc/rfc4675.txt- packets; this attribute MUST NOT be sent within an Access- ../data/rfc/rfc4675.txt- Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- -- ../data/rfc/rfc4675.txt- per-port variable defined in [IEEE-802.1Q] clause 8.4.5. When the ../data/rfc/rfc4675.txt- attribute has the value "Enabled", the set of VLANs that are ../data/rfc/rfc4675.txt- allowed to ingress a port must match the set of VLANs that are ../data/rfc/rfc4675.txt- allowed to egress a port. Only a single Ingress-Filters attribute ../data/rfc/rfc4675.txt- MAY be sent within an Access-Request, Access-Accept, CoA-Request, ../data/rfc/rfc4675.txt: or Accounting-Request packet; this attribute MUST NOT be sent ../data/rfc/rfc4675.txt- within an Access-Challenge, Access-Reject, Disconnect-Request, ../data/rfc/rfc4675.txt- Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- The Ingress-Filters attribute is shown below. The fields are ../data/rfc/rfc4675.txt- transmitted from left to right: -- ../data/rfc/rfc4675.txt- indicates if frames on the VLAN for this port are to be ../data/rfc/rfc4675.txt- represented in tagged or untagged format, the second part is the ../data/rfc/rfc4675.txt- VLAN name. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- Multiple Egress-VLAN-Name attributes MAY be included within an ../data/rfc/rfc4675.txt: Access-Request, Access-Accept, CoA-Request, or Accounting-Request ../data/rfc/rfc4675.txt- packet; this attribute MUST NOT be sent within an Access- ../data/rfc/rfc4675.txt- Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, ../data/rfc/rfc4675.txt- Disconnect-NAK, CoA-ACK, or CoA-NAK. Each attribute adds the ../data/rfc/rfc4675.txt- named VLAN to the list of allowed egress VLANs for the port. The ../data/rfc/rfc4675.txt- Egress-VLAN-Name attribute is shown below. The fields are -- ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- A single User-Priority-Table attribute MAY be included in an ../data/rfc/rfc4675.txt- Access-Accept or CoA-Request packet; this attribute MUST NOT be ../data/rfc/rfc4675.txt- sent within an Access-Request, Access-Challenge, Access-Reject, ../data/rfc/rfc4675.txt- Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA- ../data/rfc/rfc4675.txt: NAK or Accounting-Request. Since the regeneration table is only ../data/rfc/rfc4675.txt- maintained by a bridge conforming to [IEEE-802.1D], this attribute ../data/rfc/rfc4675.txt- should only be sent to a RADIUS client supporting that ../data/rfc/rfc4675.txt- specification. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- The User-Priority-Table attribute is shown below. The fields are -- ../data/rfc/rfc4675.txt- AA-Answer or Diameter-EAP-Answer messages that indicate failure. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- What is said about COA-Request applies in Diameter to Re-Auth-Request ../data/rfc/rfc4675.txt- [RFC4005]. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt: What is said about Accounting-Request applies to Diameter ../data/rfc/rfc4675.txt: Accounting-Request [RFC4005] as well. ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt-5. IANA Considerations ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- This specification does not create any new registries. ../data/rfc/rfc4675.txt- -- ../data/rfc/rfc4675.txt- 59 - User-Priority-Table ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt-6. Security Considerations ../data/rfc/rfc4675.txt- ../data/rfc/rfc4675.txt- This specification describes the use of RADIUS and Diameter for ../data/rfc/rfc4675.txt: purposes of authentication, authorization, and accounting in IEEE 802 ../data/rfc/rfc4675.txt- local area networks. RADIUS threats and security issues for this ../data/rfc/rfc4675.txt- application are described in [RFC3579] and [RFC3580]; security issues ../data/rfc/rfc4675.txt- encountered in roaming are described in [RFC2607]. For Diameter, the ../data/rfc/rfc4675.txt- security issues relating to this application are described in ../data/rfc/rfc4675.txt- [RFC4005] and [RFC4072]. -- ../data/rfc/rfc1478.txt- routing entity may select routes that are specific to certain source ../data/rfc/rfc1478.txt- domains, provided that the routing entity has access to the source ../data/rfc/rfc1478.txt- policies of those domains. ../data/rfc/rfc1478.txt- ../data/rfc/rfc1478.txt- In the distance vector context, the flexibility of policy route ../data/rfc/rfc1478.txt: generation afforded by accounting for other domains' transit and ../data/rfc/rfc1478.txt- source policies in route selection has the following disadvantages: ../data/rfc/rfc1478.txt- ../data/rfc/rfc1478.txt- - Each recipient of a distance vector message must bear the cost of ../data/rfc/rfc1478.txt- verifying the consistency of the associated route with the ../data/rfc/rfc1478.txt- constituent domains' transit policies. -- ../data/rfc/rfc1478.txt-3.2.1. Path Agents ../data/rfc/rfc1478.txt- ../data/rfc/rfc1478.txt- Any Internet host can reap the benefits of IDPR, as long as there ../data/rfc/rfc1478.txt- exists a path agent configured to act on its behalf and a means by ../data/rfc/rfc1478.txt- which the host's messages can reach that path agent. Path agents ../data/rfc/rfc1478.txt: select and set up policy routes for hosts, accounting for service ../data/rfc/rfc1478.txt- requirements. To obtain a host's service requirements, a path agent ../data/rfc/rfc1478.txt- may either consult its configured IDPR source policy information or ../data/rfc/rfc1478.txt- extract service requirements directly from the host's data messages, ../data/rfc/rfc1478.txt- provided such information is available in these data messages. ../data/rfc/rfc1478.txt- -- ../data/rfc/rfc3220.txt- ../data/rfc/rfc3220.txt- When the mobile node receives an Agent Advertisement with the 'R' bit ../data/rfc/rfc3220.txt- set, the mobile node SHOULD register through the foreign agent, even ../data/rfc/rfc3220.txt- when the mobile node might be able to acquire its own co-located ../data/rfc/rfc3220.txt- care-of address. This feature is intended to allow sites to enforce ../data/rfc/rfc3220.txt: visiting policies (such as accounting) which require exchanges of ../data/rfc/rfc3220.txt- authorization. ../data/rfc/rfc3220.txt- ../data/rfc/rfc3220.txt- If formerly reserved bits require some kind of monitoring/enforcement ../data/rfc/rfc3220.txt- at the foreign link, foreign agents implementing the new ../data/rfc/rfc3220.txt- specification for the formerly reserved bits can set the 'R' bit. Binary file ../data/rfc/rfc776.txt matches -- ../data/rfc/rfc7270.txt- See "NetFlow Version 9 Flow-Record Format" [CCO-NF9FMT]. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt-4.13. srcTrafficIndex ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Description: ../data/rfc/rfc7270.txt: BGP Policy Accounting Source Traffic Index. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Abstract Data Type: unsigned32 ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ElementId: 92 ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Semantics: identifier ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Status: current ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Reference: ../data/rfc/rfc7270.txt: BGP policy accounting as described in [CCO-BGPPOL]. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- -- ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt-4.14. dstTrafficIndex ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Description: ../data/rfc/rfc7270.txt: BGP Policy Accounting Destination Traffic Index. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Abstract Data Type: unsigned32 ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- ElementId: 93 ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Semantics: identifier ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Status: current ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Reference: ../data/rfc/rfc7270.txt: BGP policy accounting as described in [CCO-BGPPOL]. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt-4.15. className ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- Description: ../data/rfc/rfc7270.txt- Deprecated in favor of 335 selectorName. Traffic Class Name, -- ../data/rfc/rfc7270.txt- 2013. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt-8.2. Informative References ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- [CCO-BGPPOL] ../data/rfc/rfc7270.txt: Cisco, "BGP Policy Accounting and BGP Policy Accounting ../data/rfc/rfc7270.txt: Output Interface Accounting Features", December 2005, ../data/rfc/rfc7270.txt- <http://www.cisco.com/en/US/tech/tk365/ ../data/rfc/rfc7270.txt- technologies_tech_note09186a0080094e88.shtml>. ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- [CCO-MLS] Cisco, "IP MultiLayer Switching Sample Configuration", ../data/rfc/rfc7270.txt- November 2007, -- ../data/rfc/rfc7270.txt- group="" ../data/rfc/rfc7270.txt- dataTypeSemantics="identifier" ../data/rfc/rfc7270.txt- elementId="92" applicability="flow" status="current"> ../data/rfc/rfc7270.txt- <description> ../data/rfc/rfc7270.txt- <paragraph> ../data/rfc/rfc7270.txt: BGP Policy Accounting Source Traffic Index. ../data/rfc/rfc7270.txt- </paragraph> ../data/rfc/rfc7270.txt- </description> ../data/rfc/rfc7270.txt- <reference> ../data/rfc/rfc7270.txt: BGP policy accounting as described in ../data/rfc/rfc7270.txt- http://www.cisco.com/en/US/tech/tk365/ ../data/rfc/rfc7270.txt- technologies_tech_note09186a0080094e88.shtml ../data/rfc/rfc7270.txt- </reference> ../data/rfc/rfc7270.txt- ../data/rfc/rfc7270.txt- -- ../data/rfc/rfc7270.txt- group="" ../data/rfc/rfc7270.txt- dataTypeSemantics="identifier" ../data/rfc/rfc7270.txt- elementId="93" applicability="flow" status="current"> ../data/rfc/rfc7270.txt- <description> ../data/rfc/rfc7270.txt- <paragraph> ../data/rfc/rfc7270.txt: BGP Policy Accounting Destination Traffic Index. ../data/rfc/rfc7270.txt- </paragraph> ../data/rfc/rfc7270.txt- </description> ../data/rfc/rfc7270.txt- <reference> ../data/rfc/rfc7270.txt: BGP policy accounting as described in ../data/rfc/rfc7270.txt- http://www.cisco.com/en/US/tech/tk365/ ../data/rfc/rfc7270.txt- technologies_tech_note09186a0080094e88.shtml ../data/rfc/rfc7270.txt- </reference> ../data/rfc/rfc7270.txt- </field> ../data/rfc/rfc7270.txt- <field name="className" dataType="string" -- ../data/rfc/rfc2430.txt- ../data/rfc/rfc2430.txt- Because Priority traffic intrinsically has more 'value' than Best ../data/rfc/rfc2430.txt- Effort traffic, the ability to inject Priority traffic into a network ../data/rfc/rfc2430.txt- must be carefully controlled. Further, signaling concerning Priority ../data/rfc/rfc2430.txt- traffic has to be authenticated because it is likely that the ../data/rfc/rfc2430.txt: signaling information will result in specific accounting and ../data/rfc/rfc2430.txt- eventually billing for the Priority services. ISPs are cautioned to ../data/rfc/rfc2430.txt- insure that the Priority traffic that they accept is in fact from a ../data/rfc/rfc2430.txt- known previous hop. Note that this is a simple requirement to ../data/rfc/rfc2430.txt- fulfill at private peerings, but it is much more difficult at public ../data/rfc/rfc2430.txt- interconnects. For this reason, exchanging Priority traffic at -- ../data/rfc/rfc6320.txt-RFC 6320 ANCP Protocol October 2011 ../data/rfc/rfc6320.txt- ../data/rfc/rfc6320.txt- ../data/rfc/rfc6320.txt- * Further description (if any): This may indicate a configuration ../data/rfc/rfc6320.txt- mismatch between the AN and the NAS or Authentication, ../data/rfc/rfc6320.txt: Authorization, and Accounting (AAA). ../data/rfc/rfc6320.txt- ../data/rfc/rfc6320.txt- * Required additional information in the response message: If the ../data/rfc/rfc6320.txt- request identified multiple access lines or the response is a ../data/rfc/rfc6320.txt- Generic Response message, then the response MUST contain a ../data/rfc/rfc6320.txt- Status-Info TLV encapsulating TLV(s) containing the rejected -- ../data/rfc/rfc6320.txt- to the NAS control application that a DSL Port Up or Port Down ../data/rfc/rfc6320.txt- message has been received along with the information contained in the ../data/rfc/rfc6320.txt- message. ../data/rfc/rfc6320.txt- ../data/rfc/rfc6320.txt- The NAS control application updates its view of the DSL access line ../data/rfc/rfc6320.txt: state, performs any required accounting operations, and uses any ../data/rfc/rfc6320.txt- included line attributes to adjust the operation of its queuing/ ../data/rfc/rfc6320.txt- scheduling mechanisms as they apply to data passing to and from that ../data/rfc/rfc6320.txt- DSL access line. ../data/rfc/rfc6320.txt- ../data/rfc/rfc6320.txt- Figure 14 summarizes the interaction. -- ../data/rfc/rfc6003.txt- ../data/rfc/rfc6003.txt- o Each CTi value SHOULD correspond 1:1 to the MEF Customer ../data/rfc/rfc6003.txt- Edge VLAN CoS (CE-VLAN CoS). ../data/rfc/rfc6003.txt- ../data/rfc/rfc6003.txt- o The BW requested per CTi field MAY be used for bandwidth ../data/rfc/rfc6003.txt: accounting purposes. ../data/rfc/rfc6003.txt- ../data/rfc/rfc6003.txt- By default, the value of the Index field MUST be set to 0. ../data/rfc/rfc6003.txt- ../data/rfc/rfc6003.txt- ../data/rfc/rfc6003.txt- -- ../data/rfc/rfc1360.txt- for Internet Addressing and Routing ../data/rfc/rfc1360.txt- ../data/rfc/rfc1360.txt- This is an information document and does not specify any ../data/rfc/rfc1360.txt- level of standard. ../data/rfc/rfc1360.txt- ../data/rfc/rfc1360.txt: 1346 - Resource Allocation, Control, and Accounting for the Use of ../data/rfc/rfc1360.txt- Network Resources ../data/rfc/rfc1360.txt- ../data/rfc/rfc1360.txt- This is an information document and does not specify any ../data/rfc/rfc1360.txt- level of standard. ../data/rfc/rfc1360.txt- -- ../data/rfc/rfc681.txt- THREE TERMINALS. PRESENTLY THIS HAS BEEN EXPANDED TO ENCOMPASS A ../data/rfc/rfc681.txt- DH11 TERMINAL MULTIPLEXOR, AN RP03 MOVING HEAD DISK, A TWIN ../data/rfc/rfc681.txt- PLATTER RF11 FIXED HEAD DISK, FLOATING POINT, AND 48K OF CORE. ../data/rfc/rfc681.txt- USER FILES ARE STORED ON THE RP03. THE RF11 IS USED AS A SWAP ../data/rfc/rfc681.txt- DISK AND FOR TEMPORARY FILE STORAGE; ONE RK05 PLATTER CONTAINS ../data/rfc/rfc681.txt: THE SYSTEM FILES, AND THE SECOND CONTAINS LOGIN AND ACCOUNTING ../data/rfc/rfc681.txt- INFORMATION. IN THE NEAR FUTURE, THE SYSTEM WILL BE EXPANDED TO ../data/rfc/rfc681.txt- 128K WORDS OF CORE MEMORY WITH 10 DIAL IN AND 10 HARD WIRED ../data/rfc/rfc681.txt- TERMINAL LINES. 7a ../data/rfc/rfc681.txt- ../data/rfc/rfc681.txt- THE BASE OPERATING SYSTEM OCCUPIES 24.5K WORDS OF MEMORY. THIS -- ../data/rfc/rfc1466.txt- ../data/rfc/rfc1466.txt- The IR may allocate small blocks of Class B network numbers to ../data/rfc/rfc1466.txt- regional registries if so doing will improve the service that is ../data/rfc/rfc1466.txt- being provided to the community. The IR may issue more specific ../data/rfc/rfc1466.txt- guidelines for the further assignment of the numbers which will be ../data/rfc/rfc1466.txt: consistent with the stated guidelines. The IR may require accounting ../data/rfc/rfc1466.txt- of the block assignment including receipt of the applicants' ../data/rfc/rfc1466.txt- engineering plans. The IR may audit these engineering plans to ../data/rfc/rfc1466.txt- confirm that the assignments are consistent with the guidelines. ../data/rfc/rfc1466.txt- ../data/rfc/rfc1466.txt-4.3 Class C -- ../data/rfc/rfc5456.txt- the 'causecode' and 'cause' IEs to specify why registration was ../data/rfc/rfc5456.txt- rejected. ../data/rfc/rfc5456.txt- ../data/rfc/rfc5456.txt- Upon receipt of a REGREJ message, the registrant MUST consider ../data/rfc/rfc5456.txt- registration process unsuccessful and no further interaction is ../data/rfc/rfc5456.txt: required. A peer MAY reinitiate the process at later time accounting ../data/rfc/rfc5456.txt- for potential configuration changes on the registrar or registrant. ../data/rfc/rfc5456.txt- ../data/rfc/rfc5456.txt- Both registrants and registrars MUST be capable of sending and ../data/rfc/rfc5456.txt- processing this message. ../data/rfc/rfc5456.txt- -- ../data/rfc/rfc7831.txt- 4.2. Privacy Aspects of ABFAB Communication Flows ..............36 ../data/rfc/rfc7831.txt- 4.2.1. Client to RP .......................................36 ../data/rfc/rfc7831.txt- 4.2.2. Client to IdP (via Federation Substrate) ...........37 ../data/rfc/rfc7831.txt- 4.2.3. IdP to RP (via Federation Substrate) ...............38 ../data/rfc/rfc7831.txt- 4.3. Relationship between User and Entities ....................39 ../data/rfc/rfc7831.txt: 4.4. Accounting Information ....................................39 ../data/rfc/rfc7831.txt- 4.5. Collection and Retention of Data and Identifiers ..........39 ../data/rfc/rfc7831.txt- 4.6. User Participation ........................................40 ../data/rfc/rfc7831.txt- 5. Security Considerations ........................................40 ../data/rfc/rfc7831.txt- 6. References .....................................................41 ../data/rfc/rfc7831.txt- 6.1. Normative References ......................................41 -- ../data/rfc/rfc7831.txt- generalized and scaled over the last decade through mechanisms such ../data/rfc/rfc7831.txt- as the Simple Authentication and Security Layer (SASL) with the ../data/rfc/rfc7831.txt- Generic Security Server Application Program Interface (GSS-API) ../data/rfc/rfc7831.txt- (known as the GS2 family) [RFC5801]; the Security Assertion Markup ../data/rfc/rfc7831.txt- Language (SAML) [OASIS.saml-core-2.0-os]; and the Authentication, ../data/rfc/rfc7831.txt: Authorization, and Accounting (AAA) architecture as embodied in ../data/rfc/rfc7831.txt- RADIUS [RFC2865] and Diameter [RFC6733]. ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt- A Relying Party (RP) is the entity that manages access to some ../data/rfc/rfc7831.txt- resource. The entity that is requesting access to that resource is ../data/rfc/rfc7831.txt- often described as the client. Many security mechanisms are -- ../data/rfc/rfc7831.txt- support mutual authentication, then there are no guarantees that the ../data/rfc/rfc7831.txt- IdP is who it claims to be, and thus the full NAI, including a ../data/rfc/rfc7831.txt- username and a realm, might be sent to any entity masquerading as a ../data/rfc/rfc7831.txt- particular IdP. ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt: Note that ABFAB has not specified any AAA accounting requirements. ../data/rfc/rfc7831.txt: Implementations that use the accounting portion of AAA should ../data/rfc/rfc7831.txt- consider privacy appropriately when designing this aspect. ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt-4.2.3. IdP to RP (via Federation Substrate) ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt- In this phase, the IdP communicates with the RP, informing it as to -- ../data/rfc/rfc7831.txt- may, however). Knowledge of attribute information about ../data/rfc/rfc7831.txt- Individuals for these entities is not necessary, and thus such ../data/rfc/rfc7831.txt- information should be protected in such a way as to prevent the ../data/rfc/rfc7831.txt- possibility of access to this information. ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt:4.4. Accounting Information ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt- Alongside the core authentication and authorization that occur in AAA ../data/rfc/rfc7831.txt: communications, accounting information about resource consumption may ../data/rfc/rfc7831.txt: be delivered as part of the accounting exchange during the lifetime ../data/rfc/rfc7831.txt- of the granted application session. ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt-4.5. Collection and Retention of Data and Identifiers ../data/rfc/rfc7831.txt- ../data/rfc/rfc7831.txt- In cases where RPs are not required to identify a particular -- ../data/rfc/rfc7778.txt- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 ../data/rfc/rfc7778.txt- 1.1. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 4 ../data/rfc/rfc7778.txt- 2. ConEx Use Cases in Mobile Communication Networks . . . . . . 4 ../data/rfc/rfc7778.txt- 2.1. ConEx as a Basis for Traffic Management . . . . . . . . . 5 ../data/rfc/rfc7778.txt- 2.2. ConEx to Incentivize Scavenger Transports . . . . . . . . 7 ../data/rfc/rfc7778.txt: 2.3. Accounting for Congestion Volume . . . . . . . . . . . . 7 ../data/rfc/rfc7778.txt- 2.4. Partial vs. Full Deployment . . . . . . . . . . . . . . . 8 ../data/rfc/rfc7778.txt- 2.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc7778.txt- 3. ConEx in the EPS . . . . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc7778.txt- 3.1. Possible Deployment Scenarios . . . . . . . . . . . . . . 9 ../data/rfc/rfc7778.txt- 3.2. Implementing ConEx Functions in the EPS . . . . . . . . . 14 -- ../data/rfc/rfc7778.txt- 2. It can reduce the need for complex DPI by allowing for a bulk ../data/rfc/rfc7778.txt- packet traffic management system that does not have to consider ../data/rfc/rfc7778.txt- either the application classes flows belong to or the individual ../data/rfc/rfc7778.txt- sessions. Instead, traffic management would be based on the ../data/rfc/rfc7778.txt- current cost (contribution to congestion) incurred by different ../data/rfc/rfc7778.txt: flows and enable operators to apply policing/accounting depending ../data/rfc/rfc7778.txt- on their preference. Such traffic management would be simpler ../data/rfc/rfc7778.txt- and more robust (no real-time flow application type ../data/rfc/rfc7778.txt- identification required, no static configuration of application ../data/rfc/rfc7778.txt- classes); it would also perform better as decisions can be made ../data/rfc/rfc7778.txt- based on real-time actual cost contribution. With ConEx, -- ../data/rfc/rfc7778.txt- impose different QoS for different application sessions; and ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- B. as a tool to let applications decide on their response to ../data/rfc/rfc7778.txt- congestion notification while incentivizing them to react (in ../data/rfc/rfc7778.txt- general) appropriately, e.g., by enforcing overall limits for ../data/rfc/rfc7778.txt: congestion contribution or by accounting and charging for ../data/rfc/rfc7778.txt- such congestion contribution. Note that this level of ../data/rfc/rfc7778.txt- responsiveness would be on a different level than, say, ../data/rfc/rfc7778.txt- application-layer responsiveness in protocols such as Dynamic ../data/rfc/rfc7778.txt- Adaptive Streaming over HTTP (DASH) [dash]; however, it could ../data/rfc/rfc7778.txt- interwork with such protocols, for example, by triggering -- ../data/rfc/rfc7778.txt- scheme, e.g., by giving a larger bandwidth allowance to users that ../data/rfc/rfc7778.txt- contribute less to congestion or lowering the next monthly ../data/rfc/rfc7778.txt- subscription fee. In principle, this would be possible to implement ../data/rfc/rfc7778.txt- with current specifications. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt:2.3. Accounting for Congestion Volume ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt: 3G and LTE networks provide extensive support for accounting and ../data/rfc/rfc7778.txt- charging already, for example, see the Policy Charging Control (PCC) ../data/rfc/rfc7778.txt- architecture [TS23203]. In fact, most operators today account ../data/rfc/rfc7778.txt- transmitted data volume on a very fine granular basis and either ../data/rfc/rfc7778.txt- correlate monthly charging to the exact number of packets/bytes ../data/rfc/rfc7778.txt- transmitted or employ some form of flat rate (or flexible flat rate), ../data/rfc/rfc7778.txt- often with a so-called fair-use policy. With such policies, users ../data/rfc/rfc7778.txt- are typically limited to an administratively configured maximum ../data/rfc/rfc7778.txt- bandwidth limit after they have used up their contractual data volume ../data/rfc/rfc7778.txt- budget for the charging period. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt: Changing this data from volume-based accounting to congestion-based ../data/rfc/rfc7778.txt: accounting would be possible in principle, especially since there ../data/rfc/rfc7778.txt: already is an elaborate per-user accounting system available. Also, ../data/rfc/rfc7778.txt- an operator-provided mobile communication network can be seen as a ../data/rfc/rfc7778.txt- network domain that would allow for such congestion volume ../data/rfc/rfc7778.txt: accounting. This would not require any support from the global ../data/rfc/rfc7778.txt- Internet, especially since the typical scarce resources such as the ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt-Kutscher, et al. Informational [Page 7] -- ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- wireless access and the mobile backhaul are all within this domain. ../data/rfc/rfc7778.txt- Traffic normally leaves/enters the operator's network via well- ../data/rfc/rfc7778.txt- defined egress/ingress points that would be ideal candidates for ../data/rfc/rfc7778.txt- policing functions. Moreover, in most commercially operated ../data/rfc/rfc7778.txt: networks, accounting is performed for both received and sent data, ../data/rfc/rfc7778.txt: which would facilitate congestion volume accounting as well. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- With respect to the current Path Computation Client (PCC) framework, ../data/rfc/rfc7778.txt: accounting for congestion volume could be added as another feature to ../data/rfc/rfc7778.txt- the "Usage Monitoring Control" capability that is currently based on ../data/rfc/rfc7778.txt- data volume. This would not require a new interface (reference ../data/rfc/rfc7778.txt- points) at all. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt-2.4. Partial vs. Full Deployment -- ../data/rfc/rfc7778.txt- Since mobile communication networks are multi-vendor networks, ../data/rfc/rfc7778.txt- standardizing ConEx support on UEs (e.g., in 3GPP specifications) ../data/rfc/rfc7778.txt- appears useful. Still, not all UEs would have to support ConEx, and ../data/rfc/rfc7778.txt- operators would be free to choose their policing approach in such ../data/rfc/rfc7778.txt- deployment scenarios. Leveraging existing PCC architectures, 3GPP ../data/rfc/rfc7778.txt: network operators could, for example, decide policing/accounting ../data/rfc/rfc7778.txt- approaches per UE -- i.e., apply fixed volume caps for non-ConEx UEs ../data/rfc/rfc7778.txt- and more flexible schemes for ConEx-enabled UEs. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- Moreover, it should be noted that network support for ConEx is a ../data/rfc/rfc7778.txt- feature that some operators may choose to deploy if they wish, but it -- ../data/rfc/rfc7778.txt- requiring any change on UEs. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- 2. ConEx is universally employed between operators (as depicted in ../data/rfc/rfc7778.txt- Figure 2) with an end-to-end ConEx feedback loop. Here, ../data/rfc/rfc7778.txt- operators could still employ local policies, congestion ../data/rfc/rfc7778.txt: accounting schemes, etc., and they could use information about ../data/rfc/rfc7778.txt- congestion contribution for determining interconnection ../data/rfc/rfc7778.txt- agreements. This deployment scenario would imply the willingness ../data/rfc/rfc7778.txt- of operators to expose congestion to each other. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- 3. For Isolated ConEx domains as depicted in Figure 3, ConEx is -- ../data/rfc/rfc7778.txt- end-to-end congestion exposure. This could be the case when ../data/rfc/rfc7778.txt- ConEx is only implemented in a few networks or when operators ../data/rfc/rfc7778.txt- decide to not expose ECN and account for congestion for inter- ../data/rfc/rfc7778.txt- domain traffic. Independent of the actual scenario, it is likely ../data/rfc/rfc7778.txt- that there will be border gateways (as in today's deployments) ../data/rfc/rfc7778.txt: that are associated with policing and accounting functions. ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- 4. [conex-lite] describes an approach called "ConEx Lite" for mobile ../data/rfc/rfc7778.txt- networks that is intended for initial deployment of congestion ../data/rfc/rfc7778.txt- exposure concepts in LTE, specifically in the backhaul and core ../data/rfc/rfc7778.txt- network segments. As depicted in Figure 4, ConEx Lite allows a -- ../data/rfc/rfc7778.txt- depicted in Figure 1), operators can have different requirements for ../data/rfc/rfc7778.txt- policing traffic. Although policing is, in principle, location- ../data/rfc/rfc7778.txt- agnostic, it is important to consider requirements related to the EPS ../data/rfc/rfc7778.txt- architecture (Figure 5) such as tunneling between P-GWs and eNBs. ../data/rfc/rfc7778.txt- Policing can require access to subscriber information (e.g., ../data/rfc/rfc7778.txt: congestion contribution quota) or user-specific accounting, which ../data/rfc/rfc7778.txt- suggests that the ConEx function could be co-located with the P-GW ../data/rfc/rfc7778.txt- that already has an interface towards the Policy and Charging Rule ../data/rfc/rfc7778.txt- Function (PCRF). ../data/rfc/rfc7778.txt- ../data/rfc/rfc7778.txt- Still, policing can serve different purposes. For example, if the -- ../data/rfc/rfc5921.txt- CM Configuration Management ../data/rfc/rfc5921.txt- CO-CS Connection Oriented - Circuit Switched ../data/rfc/rfc5921.txt- CO-PS Connection Oriented - Packet Switched ../data/rfc/rfc5921.txt- DCN Data Communication Network ../data/rfc/rfc5921.txt- EMF Equipment Management Function ../data/rfc/rfc5921.txt: FCAPS Fault, Configuration, Accounting, Performance, and ../data/rfc/rfc5921.txt- Security ../data/rfc/rfc5921.txt- FM Fault Management ../data/rfc/rfc5921.txt- G-ACh Generic Associated Channel ../data/rfc/rfc5921.txt- GAL G-ACh Label ../data/rfc/rfc5921.txt- LER Label Edge Router -- ../data/rfc/rfc5921.txt- o An IP encapsulation where IP capabilities are present, e.g., PW ../data/rfc/rfc5921.txt- ACH encapsulation with IP headers for VCCV-BFD [RFC5885] or IP ../data/rfc/rfc5921.txt- encapsulation for MPLS BFD [RFC5884]. ../data/rfc/rfc5921.txt- ../data/rfc/rfc5921.txt- MPLS-TP makes use of such a generic associated channel (G-ACh) to ../data/rfc/rfc5921.txt: support Fault, Configuration, Accounting, Performance, and Security ../data/rfc/rfc5921.txt- (FCAPS) functions by carrying packets related to OAM, a protocol used ../data/rfc/rfc5921.txt- to coordinate path protection state, SCC, MCC or other packet types ../data/rfc/rfc5921.txt- in-band over LSPs, PWs, or sections. The G-ACh is defined in ../data/rfc/rfc5921.txt- [RFC5586] and is similar to the Pseudowire Associated Channel ../data/rfc/rfc5921.txt- [RFC4385], which is used to carry OAM packets over pseudowires. The -- ../data/rfc/rfc1259.txt- function as a channel for delivery of a wide range of privately- ../data/rfc/rfc1259.txt- developed information services. To ../data/rfc/rfc1259.txt- ../data/rfc/rfc1259.txt- encourage use of the Network by commercial information service ../data/rfc/rfc1259.txt- providers, where technically feasible, the Network shall have ../data/rfc/rfc1259.txt: accounting mechanisms which allow, where appropriate, users or ../data/rfc/rfc1259.txt- groups of users to be charged for their usage of copyrighted ../data/rfc/rfc1259.txt- materials over the Network. (5) ../data/rfc/rfc1259.txt- ../data/rfc/rfc1259.txt- Congress can create an environment that stimulates information ../data/rfc/rfc1259.txt- entrepreneurship by mandating that the NREN rely on open technical -- ../data/rfc/rfc1596.txt- 4. Object Definitions .................................... 12 ../data/rfc/rfc1596.txt- 4.1 The Frame Relay Service Logical Port Group ........... 12 ../data/rfc/rfc1596.txt- 4.2 The Frame Relay Management VC Signaling Group ........ 15 ../data/rfc/rfc1596.txt- 4.3 The PVC End-Point Group .............................. 22 ../data/rfc/rfc1596.txt- 4.4 Frame Relay PVC Connection Group ..................... 30 ../data/rfc/rfc1596.txt: 4.5 Frame Relay Accounting Groups ........................ 37 ../data/rfc/rfc1596.txt- 5. Frame Relay Network Service TRAPS ..................... 40 ../data/rfc/rfc1596.txt- 6. Conformance Information ............................... 43 ../data/rfc/rfc1596.txt- 7. Acknowledgments ....................................... 45 ../data/rfc/rfc1596.txt- 8. References ............................................ 45 ../data/rfc/rfc1596.txt- 9. Security Considerations ............................... 46 -- ../data/rfc/rfc1596.txt-Frame Relay Service MIB Working Group [Page 36] ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt-RFC 1596 Frame Relay Service MIB March 1994 ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt: -- The Frame Relay Accounting Groups ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- -- The groups are the following: ../data/rfc/rfc1596.txt: -- Accounting on a PVC basis ../data/rfc/rfc1596.txt: -- Accounting on an Interface/Logical Port basis ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt: -- The Accounting on a Frame Relay PVC basis Group ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt: -- The accounting information is collected for a PVC ../data/rfc/rfc1596.txt- -- segment end-point. ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- frAccountPVCTable OBJECT-TYPE ../data/rfc/rfc1596.txt- SYNTAX SEQUENCE OF FrAccountPVCEntry ../data/rfc/rfc1596.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "The Frame Relay Accounting PVC table. This table ../data/rfc/rfc1596.txt: is used to perform accounting on a PVC segment ../data/rfc/rfc1596.txt- end-point basis." ../data/rfc/rfc1596.txt- ::= { frnetservObjects 6 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- frAccountPVCEntry OBJECT-TYPE ../data/rfc/rfc1596.txt- SYNTAX FrAccountPVCEntry ../data/rfc/rfc1596.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "An entry in the Frame Relay Accounting PVC ../data/rfc/rfc1596.txt- table." ../data/rfc/rfc1596.txt- INDEX { ifIndex, frAccountPVCDLCIIndex } ../data/rfc/rfc1596.txt- ::= { frAccountPVCTable 1 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- FrAccountPVCEntry ::= -- ../data/rfc/rfc1596.txt- "The value of this object is equal to the number ../data/rfc/rfc1596.txt- of segments sent by this PVC segment end-point." ../data/rfc/rfc1596.txt- ::= { frAccountPVCEntry 4 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt: -- The Accounting on a Frame Relay Logical Port basis Group ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- frAccountLportTable OBJECT-TYPE ../data/rfc/rfc1596.txt- SYNTAX SEQUENCE OF FrAccountLportEntry ../data/rfc/rfc1596.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "The Frame Relay Accounting Logical Port table. ../data/rfc/rfc1596.txt: This table is used to perform accounting on a ../data/rfc/rfc1596.txt- UNI/NNI Logical Port basis." ../data/rfc/rfc1596.txt- ::= { frnetservObjects 7 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- frAccountLportEntry OBJECT-TYPE ../data/rfc/rfc1596.txt- -- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- SYNTAX FrAccountLportEntry ../data/rfc/rfc1596.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "An entry in the Frame Relay Accounting Logical ../data/rfc/rfc1596.txt- Port table." ../data/rfc/rfc1596.txt- INDEX { ifIndex } ../data/rfc/rfc1596.txt- ::= { frAccountLportTable 1 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- FrAccountLportEntry ::= -- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- GROUP frnetservAccountPVCGroup ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt- "This group is optional for Frame Relay interfaces. ../data/rfc/rfc1596.txt- It is ../data/rfc/rfc1596.txt: mandatory if and only if accounting is performed ../data/rfc/rfc1596.txt- on a PVC ../data/rfc/rfc1596.txt- basis this ../data/rfc/rfc1596.txt- Frame Relay interface." ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- GROUP frnetservAccountLportGroup -- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt- "This group is optional for Frame Relay interfaces. ../data/rfc/rfc1596.txt- It is ../data/rfc/rfc1596.txt: mandatory if and only if accounting is ../data/rfc/rfc1596.txt- performed on a ../data/rfc/rfc1596.txt- logical port basis this ../data/rfc/rfc1596.txt- Frame Relay interface." ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- OBJECT frPVCEndptInMaxFrameSize -- ../data/rfc/rfc1596.txt- frnetservAccountPVCGroup OBJECT-GROUP ../data/rfc/rfc1596.txt- OBJECTS { frAccountPVCSegmentSize, frAccountPVCInSegments, ../data/rfc/rfc1596.txt- frAccountPVCOutSegments } ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "A collection of objects providing accounting ../data/rfc/rfc1596.txt- information application ../data/rfc/rfc1596.txt- to a Frame Relay PVC end-point." ../data/rfc/rfc1596.txt- ::= { frnetservGroups 5 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- frnetservAccountLportGroup OBJECT-GROUP ../data/rfc/rfc1596.txt- OBJECTS { frAccountLportSegmentSize, frAccountLportInSegments, ../data/rfc/rfc1596.txt- frAccountLportOutSegments } ../data/rfc/rfc1596.txt- STATUS current ../data/rfc/rfc1596.txt- DESCRIPTION ../data/rfc/rfc1596.txt: "A collection of objects providing accounting ../data/rfc/rfc1596.txt- information application ../data/rfc/rfc1596.txt- to a Frame Relay logical port." ../data/rfc/rfc1596.txt- ::= { frnetservGroups 6 } ../data/rfc/rfc1596.txt- ../data/rfc/rfc1596.txt- -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- 3.2 Frame Relay Management VC Signaling ........................ 22 ../data/rfc/rfc2954.txt- 3.3 Frame Relay PVC End-Points ................................. 32 ../data/rfc/rfc2954.txt- 3.4 Frame Relay PVC Connections ................................ 45 ../data/rfc/rfc2954.txt: 3.5 Frame Relay Accounting ..................................... 53 ../data/rfc/rfc2954.txt- 3.6 Frame Relay Network Service Notifications .................. 56 ../data/rfc/rfc2954.txt- 3.7 Conformance Information .................................... 57 ../data/rfc/rfc2954.txt- 4 Acknowledgments .............................................. 67 ../data/rfc/rfc2954.txt- 5 References ................................................... 67 ../data/rfc/rfc2954.txt- 6 Security Considerations ...................................... 69 -- ../data/rfc/rfc2954.txt- "This is a system supplied textual representation ../data/rfc/rfc2954.txt- of PVC. It is assigned by the service provider." ../data/rfc/rfc2954.txt- ::= { frPVCConnectEntry 13 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt: -- The Frame Relay Accounting ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- frAccountPVCTable OBJECT-TYPE ../data/rfc/rfc2954.txt- SYNTAX SEQUENCE OF FrAccountPVCEntry ../data/rfc/rfc2954.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "The Frame Relay Accounting PVC table. This table ../data/rfc/rfc2954.txt: is used to perform accounting on a PVC segment ../data/rfc/rfc2954.txt- end-point basis." ../data/rfc/rfc2954.txt- ::= { frnetservObjects 6 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- frAccountPVCEntry OBJECT-TYPE ../data/rfc/rfc2954.txt- SYNTAX FrAccountPVCEntry ../data/rfc/rfc2954.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "An entry in the Frame Relay Accounting PVC ../data/rfc/rfc2954.txt- table." ../data/rfc/rfc2954.txt- INDEX { ifIndex, ../data/rfc/rfc2954.txt- frAccountPVCDLCIIndex } ../data/rfc/rfc2954.txt- ::= { frAccountPVCTable 1 } ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt- "The value of this object is equal to the number ../data/rfc/rfc2954.txt- of segments sent by this PVC segment end-point." ../data/rfc/rfc2954.txt- ::= { frAccountPVCEntry 4 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt: -- Accounting on a Frame Relay Logical Port ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- frAccountLportTable OBJECT-TYPE ../data/rfc/rfc2954.txt- SYNTAX SEQUENCE OF FrAccountLportEntry ../data/rfc/rfc2954.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "The Frame Relay Accounting Logical Port table. ../data/rfc/rfc2954.txt: This table is used to perform accounting on a ../data/rfc/rfc2954.txt- UNI/NNI Logical Port basis." ../data/rfc/rfc2954.txt- ::= { frnetservObjects 7 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt- frAccountLportEntry OBJECT-TYPE ../data/rfc/rfc2954.txt- SYNTAX FrAccountLportEntry ../data/rfc/rfc2954.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "An entry in the Frame Relay Accounting Logical ../data/rfc/rfc2954.txt- Port table." ../data/rfc/rfc2954.txt- INDEX { ifIndex } ../data/rfc/rfc2954.txt- ::= { frAccountLportTable 1 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- FrAccountLportEntry ::= -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- GROUP frnetservAccountPVCGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for frame relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a PVC basis this frame ../data/rfc/rfc2954.txt- relay interface." ../data/rfc/rfc2954.txt- GROUP frnetservAccountLportGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for frame relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a logical port basis ../data/rfc/rfc2954.txt- this frame relay interface." ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- OBJECT frPVCEndptInMaxFrameSize ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- GROUP frnetservAccountPVCGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for frame relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a PVC basis this frame ../data/rfc/rfc2954.txt- relay interface." ../data/rfc/rfc2954.txt- GROUP frnetservAccountLportGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for frame relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a logical port basis ../data/rfc/rfc2954.txt- this frame relay interface." ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- ::= { frnetservCompliances 3 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- -- -- ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- GROUP frnetservAccountPVCGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for Frame Relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a PVC basis this Frame ../data/rfc/rfc2954.txt- Relay interface." ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- GROUP frnetservAccountLportGroup ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt- "This group is optional for Frame Relay ../data/rfc/rfc2954.txt- interfaces. It is mandatory if and only if ../data/rfc/rfc2954.txt: accounting is performed on a logical port basis ../data/rfc/rfc2954.txt- this Frame Relay interface." ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- OBJECT frPVCEndptInMaxFrameSize ../data/rfc/rfc2954.txt- MIN-ACCESS read-only ../data/rfc/rfc2954.txt- DESCRIPTION -- ../data/rfc/rfc2954.txt- OBJECTS { frAccountPVCSegmentSize, ../data/rfc/rfc2954.txt- frAccountPVCInSegments, ../data/rfc/rfc2954.txt- frAccountPVCOutSegments } ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "A collection of objects providing accounting ../data/rfc/rfc2954.txt- information application to a Frame Relay PVC end- ../data/rfc/rfc2954.txt- point." ../data/rfc/rfc2954.txt- ::= { frnetservGroups 5 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- frnetservAccountLportGroup OBJECT-GROUP ../data/rfc/rfc2954.txt- OBJECTS { frAccountLportSegmentSize, ../data/rfc/rfc2954.txt- frAccountLportInSegments, ../data/rfc/rfc2954.txt- frAccountLportOutSegments } ../data/rfc/rfc2954.txt- STATUS current ../data/rfc/rfc2954.txt- DESCRIPTION ../data/rfc/rfc2954.txt: "A collection of objects providing accounting ../data/rfc/rfc2954.txt- information application to a Frame Relay logical ../data/rfc/rfc2954.txt- port." ../data/rfc/rfc2954.txt- ::= { frnetservGroups 6 } ../data/rfc/rfc2954.txt- ../data/rfc/rfc2954.txt- frnetservLportGroup2 OBJECT-GROUP -- ../data/rfc/rfc1604.txt- 4. Object Definitions .................................... 12 ../data/rfc/rfc1604.txt- 4.1 The Frame Relay Service Logical Port Group ........... 12 ../data/rfc/rfc1604.txt- 4.2 The Frame Relay Management VC Signaling Group ........ 15 ../data/rfc/rfc1604.txt- 4.3 The PVC End-Point Group .............................. 22 ../data/rfc/rfc1604.txt- 4.4 Frame Relay PVC Connection Group ..................... 30 ../data/rfc/rfc1604.txt: 4.5 Frame Relay Accounting Groups ........................ 37 ../data/rfc/rfc1604.txt- 5. Frame Relay Network Service TRAPS ..................... 40 ../data/rfc/rfc1604.txt- 6. Conformance Information ............................... 43 ../data/rfc/rfc1604.txt- 7. Acknowledgments ....................................... 45 ../data/rfc/rfc1604.txt- 8. References ............................................ 45 ../data/rfc/rfc1604.txt- 9. Security Considerations ............................... 46 -- ../data/rfc/rfc1604.txt-Frame Relay Service MIB Working Group [Page 36] ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt-RFC 1604 Frame Relay Service MIB March 1994 ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt: -- The Frame Relay Accounting Groups ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- -- The groups are the following: ../data/rfc/rfc1604.txt: -- Accounting on a PVC basis ../data/rfc/rfc1604.txt: -- Accounting on an Interface/Logical Port basis ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt: -- The Accounting on a Frame Relay PVC basis Group ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt: -- The accounting information is collected for a PVC ../data/rfc/rfc1604.txt- -- segment end-point. ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- frAccountPVCTable OBJECT-TYPE ../data/rfc/rfc1604.txt- SYNTAX SEQUENCE OF FrAccountPVCEntry ../data/rfc/rfc1604.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "The Frame Relay Accounting PVC table. This table ../data/rfc/rfc1604.txt: is used to perform accounting on a PVC segment ../data/rfc/rfc1604.txt- end-point basis." ../data/rfc/rfc1604.txt- ::= { frnetservObjects 6 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- frAccountPVCEntry OBJECT-TYPE ../data/rfc/rfc1604.txt- SYNTAX FrAccountPVCEntry ../data/rfc/rfc1604.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "An entry in the Frame Relay Accounting PVC ../data/rfc/rfc1604.txt- table." ../data/rfc/rfc1604.txt- INDEX { ifIndex, frAccountPVCDLCIIndex } ../data/rfc/rfc1604.txt- ::= { frAccountPVCTable 1 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- FrAccountPVCEntry ::= -- ../data/rfc/rfc1604.txt- "The value of this object is equal to the number ../data/rfc/rfc1604.txt- of segments sent by this PVC segment end-point." ../data/rfc/rfc1604.txt- ::= { frAccountPVCEntry 4 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt: -- The Accounting on a Frame Relay Logical Port basis Group ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- frAccountLportTable OBJECT-TYPE ../data/rfc/rfc1604.txt- SYNTAX SEQUENCE OF FrAccountLportEntry ../data/rfc/rfc1604.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "The Frame Relay Accounting Logical Port table. ../data/rfc/rfc1604.txt: This table is used to perform accounting on a ../data/rfc/rfc1604.txt- UNI/NNI Logical Port basis." ../data/rfc/rfc1604.txt- ::= { frnetservObjects 7 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- frAccountLportEntry OBJECT-TYPE ../data/rfc/rfc1604.txt- -- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- SYNTAX FrAccountLportEntry ../data/rfc/rfc1604.txt- MAX-ACCESS not-accessible ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "An entry in the Frame Relay Accounting Logical ../data/rfc/rfc1604.txt- Port table." ../data/rfc/rfc1604.txt- INDEX { ifIndex } ../data/rfc/rfc1604.txt- ::= { frAccountLportTable 1 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- FrAccountLportEntry ::= -- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- GROUP frnetservAccountPVCGroup ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt- "This group is optional for Frame Relay interfaces. ../data/rfc/rfc1604.txt- It is ../data/rfc/rfc1604.txt: mandatory if and only if accounting is performed ../data/rfc/rfc1604.txt- on a PVC ../data/rfc/rfc1604.txt- basis this ../data/rfc/rfc1604.txt- Frame Relay interface." ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- GROUP frnetservAccountLportGroup -- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt- "This group is optional for Frame Relay interfaces. ../data/rfc/rfc1604.txt- It is ../data/rfc/rfc1604.txt: mandatory if and only if accounting is ../data/rfc/rfc1604.txt- performed on a ../data/rfc/rfc1604.txt- logical port basis this ../data/rfc/rfc1604.txt- Frame Relay interface." ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- OBJECT frPVCEndptInMaxFrameSize -- ../data/rfc/rfc1604.txt- frnetservAccountPVCGroup OBJECT-GROUP ../data/rfc/rfc1604.txt- OBJECTS { frAccountPVCSegmentSize, frAccountPVCInSegments, ../data/rfc/rfc1604.txt- frAccountPVCOutSegments } ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "A collection of objects providing accounting ../data/rfc/rfc1604.txt- information application ../data/rfc/rfc1604.txt- to a Frame Relay PVC end-point." ../data/rfc/rfc1604.txt- ::= { frnetservGroups 5 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- frnetservAccountLportGroup OBJECT-GROUP ../data/rfc/rfc1604.txt- OBJECTS { frAccountLportSegmentSize, frAccountLportInSegments, ../data/rfc/rfc1604.txt- frAccountLportOutSegments } ../data/rfc/rfc1604.txt- STATUS current ../data/rfc/rfc1604.txt- DESCRIPTION ../data/rfc/rfc1604.txt: "A collection of objects providing accounting ../data/rfc/rfc1604.txt- information application ../data/rfc/rfc1604.txt- to a Frame Relay logical port." ../data/rfc/rfc1604.txt- ::= { frnetservGroups 6 } ../data/rfc/rfc1604.txt- ../data/rfc/rfc1604.txt- -- ../data/rfc/rfc3162.txt-3. Table of Attributes ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc3162.txt- in which kinds of packets, and in what quantity. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt: Request Accept Reject Challenge Accounting # Attribute ../data/rfc/rfc3162.txt- Request ../data/rfc/rfc3162.txt- 0-1 0 0 0 0-1 95 NAS-IPv6-Address ../data/rfc/rfc3162.txt- 0-1 0-1 0 0 0-1 96 Framed-Interface-Id ../data/rfc/rfc3162.txt- 0+ 0+ 0 0 0+ 97 Framed-IPv6-Prefix ../data/rfc/rfc3162.txt- 0+ 0+ 0 0 0+ 98 Login-IPv6-Host -- ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt- [4] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote ../data/rfc/rfc3162.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc3162.txt- 2000. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt: [5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt: [6] Zorn, G., Mitton, D. and B. Aboba, "RADIUS Accounting ../data/rfc/rfc3162.txt- Modifications for Tunnel Protocol Support", RFC 2867, June ../data/rfc/rfc3162.txt- 2000. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt- [7] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. ../data/rfc/rfc3162.txt- and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", -- ../data/rfc/rfc3162.txt- Architecture", RFC 2373, July 1998. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt-5. Security Considerations ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt- This document describes the use of RADIUS for the purposes of ../data/rfc/rfc3162.txt: authentication, authorization and accounting in IPv6-enabled ../data/rfc/rfc3162.txt- networks. In such networks, the RADIUS protocol may run either over ../data/rfc/rfc3162.txt- IPv4 or over IPv6. Known security vulnerabilities of the RADIUS ../data/rfc/rfc3162.txt- protocol are described in [3], [4] and [8]. ../data/rfc/rfc3162.txt- ../data/rfc/rfc3162.txt- Since IPSEC [9] is mandatory to implement for IPv6, it is expected -- ../data/rfc/rfc1742.txt- papServerStatus DisplayString, ../data/rfc/rfc1742.txt- papServerCompletedJobs Counter, ../data/rfc/rfc1742.txt- papServerBusyJobs INTEGER, ../data/rfc/rfc1742.txt- papServerFreeJobs INTEGER, ../data/rfc/rfc1742.txt- papServerAuthenticationFailures Counter, ../data/rfc/rfc1742.txt: papServerAccountingFailures Counter, ../data/rfc/rfc1742.txt- papServerGeneralFailures Counter, ../data/rfc/rfc1742.txt- papServerState INTEGER, ../data/rfc/rfc1742.txt- papServerLastStatusMsg DisplayString ../data/rfc/rfc1742.txt- } ../data/rfc/rfc1742.txt- -- ../data/rfc/rfc1742.txt- DESCRIPTION ../data/rfc/rfc1742.txt- "The number of times this PAP server rejected a job ../data/rfc/rfc1742.txt- because the job was not correctly authenticated." ../data/rfc/rfc1742.txt- ::= { papServerEntry 7 } ../data/rfc/rfc1742.txt- ../data/rfc/rfc1742.txt: papServerAccountingFailures OBJECT-TYPE ../data/rfc/rfc1742.txt- SYNTAX Counter ../data/rfc/rfc1742.txt- ACCESS read-only ../data/rfc/rfc1742.txt- STATUS mandatory ../data/rfc/rfc1742.txt- DESCRIPTION ../data/rfc/rfc1742.txt- "The number of times this PAP server rejected a job ../data/rfc/rfc1742.txt: because the job did not fit some accounting rule, ../data/rfc/rfc1742.txt- such as exceeding a quota." ../data/rfc/rfc1742.txt- ::= { papServerEntry 8 } ../data/rfc/rfc1742.txt- ../data/rfc/rfc1742.txt- papServerGeneralFailures OBJECT-TYPE ../data/rfc/rfc1742.txt- SYNTAX Counter ../data/rfc/rfc1742.txt- ACCESS read-only ../data/rfc/rfc1742.txt- STATUS mandatory ../data/rfc/rfc1742.txt- DESCRIPTION ../data/rfc/rfc1742.txt- "The number of times this PAP server rejected a job ../data/rfc/rfc1742.txt- for some reason other than authentication or ../data/rfc/rfc1742.txt: accounting failures." ../data/rfc/rfc1742.txt- ::= { papServerEntry 9 } ../data/rfc/rfc1742.txt- ../data/rfc/rfc1742.txt- papServerState OBJECT-TYPE ../data/rfc/rfc1742.txt- SYNTAX INTEGER { ../data/rfc/rfc1742.txt- valid(1), -- ../data/rfc/rfc5590.txt-RFC 5590 SNMP Transport Subsystem June 2009 ../data/rfc/rfc5590.txt- ../data/rfc/rfc5590.txt- ../data/rfc/rfc5590.txt- In times of network stress, a Secure Transport Model might not work ../data/rfc/rfc5590.txt- properly if its underlying security mechanisms (e.g., Network Time ../data/rfc/rfc5590.txt: Protocol (NTP) or Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5590.txt- protocols or certificate authorities) are not reachable. The User- ../data/rfc/rfc5590.txt- based Security Model was explicitly designed to not depend upon ../data/rfc/rfc5590.txt- external network services, and provides its own security services. ../data/rfc/rfc5590.txt- It is RECOMMENDED that operators provision authPriv USM as a fallback ../data/rfc/rfc5590.txt- mechanism to supplement any Security Model or Transport Model that -- ../data/rfc/rfc5066.txt- active PME (e.g., for 2BaseTL PMEs it is a multiple of 64 Kbps). A ../data/rfc/rfc5066.txt- zero value SHALL be returned when the PME is Initializing or Down. ../data/rfc/rfc5066.txt- ../data/rfc/rfc5066.txt- The ifSpeed of the PCS is the sum of the current operating data rates ../data/rfc/rfc5066.txt- of all PMEs in the aggregation group, without the 64/65-octet ../data/rfc/rfc5066.txt: encapsulation overhead and PAF overhead, but accounting for the ../data/rfc/rfc5066.txt- Inter-Frame Gaps (IFGs). ../data/rfc/rfc5066.txt- ../data/rfc/rfc5066.txt- When using the stated definition of ifSpeed for the PCS, there would ../data/rfc/rfc5066.txt- be no frame loss in the following configuration (the test-sets are ../data/rfc/rfc5066.txt- configured to generate 100% of back-to-back traffic, i.e., minimal -- ../data/rfc/rfc5066.txt- | | 2BASE-TL PME, vdsl(97) for 10PASS-TS PME. | ../data/rfc/rfc5066.txt- | ifSpeed | Operating data rate for the PME. For the PCS, it | ../data/rfc/rfc5066.txt- | | is the sum of the current operating data rates of | ../data/rfc/rfc5066.txt- | | all PMEs in the aggregation group, without the | ../data/rfc/rfc5066.txt- | | 64/65-octet encapsulation overhead and PAF | ../data/rfc/rfc5066.txt: | | overhead, but accounting for the Inter-Frame Gaps | ../data/rfc/rfc5066.txt- | | (IFGs). | ../data/rfc/rfc5066.txt- +---------------+---------------------------------------------------+ ../data/rfc/rfc5066.txt- | ifAdminStatus | Setting this object to 'up' instructs a | ../data/rfc/rfc5066.txt- | | particular PCS (with all PMEs connected to it) or | ../data/rfc/rfc5066.txt- | | PME to start initialization process. | -- ../data/rfc/rfc2621.txt-Request for Comments: 2621 B. Aboba ../data/rfc/rfc2621.txt-Category: Informational Microsoft ../data/rfc/rfc2621.txt- June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: RADIUS Accounting Server MIB ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Status of this Memo ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- This memo provides information for the Internet community. This memo ../data/rfc/rfc2621.txt- does not specify an Internet standard of any kind. Distribution of -- ../data/rfc/rfc2621.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Abstract ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- This memo defines a set of extensions which instrument RADIUS ../data/rfc/rfc2621.txt: accounting server functions. These extensions represent a portion of ../data/rfc/rfc2621.txt- the Management Information Base (MIB) for use with network management ../data/rfc/rfc2621.txt- protocols in the Internet community. Using these extensions IP-based ../data/rfc/rfc2621.txt: management stations can manage RADIUS accounting servers. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-1. Introduction ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc2621.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc2621.txt- In particular, it describes managed objects used for managing RADIUS ../data/rfc/rfc2621.txt: accounting servers. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: RADIUS accounting servers are today widely deployed by dialup ../data/rfc/rfc2621.txt: Internet Service Providers, in order to provide accounting services. ../data/rfc/rfc2621.txt: As a result, the effective management of RADIUS accounting servers is ../data/rfc/rfc2621.txt- of considerable importance. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-2. The SNMP Management Framework ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- The SNMP Management Framework presently consists of five major -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 1] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- STD 15, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. ../data/rfc/rfc2621.txt- The second version, called SMIv2, is described in STD 58, RFC ../data/rfc/rfc2621.txt- 2578 [5], RFC 2579 [6] and RFC 2580 [7]. -- ../data/rfc/rfc2621.txt- readable information is not considered to change the semantics of the ../data/rfc/rfc2621.txt- MIB. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-3. Overview ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: The RADIUS accounting protocol, described in [16], distinguishes ../data/rfc/rfc2621.txt- between the client function and the server function. In RADIUS ../data/rfc/rfc2621.txt: accounting, clients send Accounting-Requests, and servers reply with ../data/rfc/rfc2621.txt: Accounting-Responses. Typically NAS devices implement the client ../data/rfc/rfc2621.txt- function, and thus would be expected to implement the RADIUS ../data/rfc/rfc2621.txt: accounting client MIB, while RADIUS accounting servers implement the ../data/rfc/rfc2621.txt- server function, and thus would be expected to implement the RADIUS ../data/rfc/rfc2621.txt: accounting server MIB. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 2] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: However, it is possible for a RADIUS accounting entity to perform ../data/rfc/rfc2621.txt- both client and server functions. For example, a RADIUS proxy may act ../data/rfc/rfc2621.txt: as a server to one or more RADIUS accounting clients, while ../data/rfc/rfc2621.txt: simultaneously acting as an accounting client to one or more ../data/rfc/rfc2621.txt: accounting servers. In such situations, it is expected that RADIUS ../data/rfc/rfc2621.txt- entities combining client and server functionality will support both ../data/rfc/rfc2621.txt- the client and server MIBs. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-3.1. Selected objects ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- This MIB module contains thirteen scalars as well as a single table: ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: (1) the RADIUS Accounting Client Table contains one row for each ../data/rfc/rfc2621.txt: RADIUS accounting client that the server shares a secret with. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: Each entry in the RADIUS Accounting Client Table includes eleven ../data/rfc/rfc2621.txt: columns presenting a view of the activity of the RADIUS accounting ../data/rfc/rfc2621.txt- server. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-4. Definitions ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN -- ../data/rfc/rfc2621.txt- Phone: +1 425 936 6605 ../data/rfc/rfc2621.txt- EMail: bernarda@microsoft.com" ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The MIB module for entities implementing the server ../data/rfc/rfc2621.txt- side of the Remote Access Dialin User Service (RADIUS) ../data/rfc/rfc2621.txt: accounting protocol." ../data/rfc/rfc2621.txt- REVISION "9906110000Z" -- 11 Jun 1999 ../data/rfc/rfc2621.txt- DESCRIPTION "Initial version as published in RFC 2621" ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 3] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: ::= { radiusAccounting 1 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusMIB OBJECT-IDENTITY ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The OID assigned to RADIUS MIB work by the IANA." ../data/rfc/rfc2621.txt- ::= { mib-2 67 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServMIBObjects OBJECT IDENTIFIER ::= ../data/rfc/rfc2621.txt- { radiusAccServMIB 1 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServ OBJECT IDENTIFIER ::= { radiusAccServMIBObjects 1 } -- ../data/rfc/rfc2621.txt- SYNTAX SnmpAdminString ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The implementation identification string for the ../data/rfc/rfc2621.txt: RADIUS accounting server software in use on the ../data/rfc/rfc2621.txt- system, for example; `FNS-2.1'" ../data/rfc/rfc2621.txt- ::= {radiusAccServ 1} ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServUpTime OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX TimeTicks -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 4] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- this value will be zero." ../data/rfc/rfc2621.txt- ::= {radiusAccServ 3} ../data/rfc/rfc2621.txt- -- ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The number of packets received on the ../data/rfc/rfc2621.txt: accounting port." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 5 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalInvalidRequests OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2621.txt- received from unknown addresses." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 6 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalDupRequests OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of duplicate RADIUS Accounting-Request ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 5] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- packets received." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 7 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalResponses OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Response packets sent." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 8 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalMalformedRequests OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of malformed RADIUS Accounting-Request ../data/rfc/rfc2621.txt- packets received. Bad authenticators or unknown ../data/rfc/rfc2621.txt- types are not included as malformed Access-Requests." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 9 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalBadAuthenticators OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2621.txt- which contained invalid Signature attributes." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 10 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalPacketsDropped OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 -- ../data/rfc/rfc2621.txt-radiusAccServTotalNoRecords OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2621.txt- which were received and responded to but not ../data/rfc/rfc2621.txt- recorded." ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 6] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ::= { radiusAccServ 12 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServTotalUnknownTypes OBJECT-TYPE -- ../data/rfc/rfc2621.txt-radiusAccClientTable OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX SEQUENCE OF RadiusAccClientEntry ../data/rfc/rfc2621.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc2621.txt- clients with which the server shares a secret." ../data/rfc/rfc2621.txt- ::= { radiusAccServ 14 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccClientEntry OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX RadiusAccClientEntry ../data/rfc/rfc2621.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc2621.txt: accounting client with which the server shares a secret." ../data/rfc/rfc2621.txt- INDEX { radiusAccClientIndex } ../data/rfc/rfc2621.txt- ::= { radiusAccClientTable 1 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-RadiusAccClientEntry ::= SEQUENCE { ../data/rfc/rfc2621.txt- radiusAccClientIndex Integer32, -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 7] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- MAX-ACCESS not-accessible ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "A number uniquely identifying each RADIUS accounting ../data/rfc/rfc2621.txt- client with which this server communicates." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 1 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccClientAddress OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX IpAddress ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The NAS-IP-Address of the RADIUS accounting client ../data/rfc/rfc2621.txt- referred to in this table entry." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 2 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccClientID OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX SnmpAdminString ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The NAS-Identifier of the RADIUS accounting client ../data/rfc/rfc2621.txt- referred to in this table entry. This is not necessarily ../data/rfc/rfc2621.txt- the same as sysName in MIB II." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 3 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt--- Server Counters -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 8] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The number of packets received from this ../data/rfc/rfc2621.txt: client on the accounting port." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 5 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServDupRequests OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of duplicate RADIUS Accounting-Request ../data/rfc/rfc2621.txt- packets received from this client." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 6 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServResponses OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc2621.txt- sent to this client." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 7 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServBadAuthenticators OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2621.txt- which contained invalid authenticators received ../data/rfc/rfc2621.txt- from this client." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 8 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServMalformedRequests OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of malformed RADIUS Accounting-Request ../data/rfc/rfc2621.txt- packets which were received from this client. ../data/rfc/rfc2621.txt- Bad authenticators and unknown types ../data/rfc/rfc2621.txt: are not included as malformed Accounting-Requests." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 9 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServNoRecords OBJECT-TYPE ../data/rfc/rfc2621.txt- SYNTAX Counter32 ../data/rfc/rfc2621.txt- MAX-ACCESS read-only ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 9] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc2621.txt- which were received and responded to but not ../data/rfc/rfc2621.txt- recorded." ../data/rfc/rfc2621.txt- ::= { radiusAccClientEntry 10 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServUnknownTypes OBJECT-TYPE -- ../data/rfc/rfc2621.txt--- compliance statements ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-radiusAccServMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt: "The compliance statement for accounting servers ../data/rfc/rfc2621.txt: implementing the RADIUS Accounting Server MIB." ../data/rfc/rfc2621.txt- MODULE -- this module ../data/rfc/rfc2621.txt- MANDATORY-GROUPS { radiusAccServMIBGroup } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- OBJECT radiusAccServConfigReset ../data/rfc/rfc2621.txt- WRITE-SYNTAX INTEGER { reset(2) } -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 10] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- radiusAccServResetTime, ../data/rfc/rfc2621.txt- radiusAccServConfigReset, ../data/rfc/rfc2621.txt- radiusAccServTotalRequests, -- ../data/rfc/rfc2621.txt- radiusAccServUnknownTypes ../data/rfc/rfc2621.txt- } ../data/rfc/rfc2621.txt- STATUS current ../data/rfc/rfc2621.txt- DESCRIPTION ../data/rfc/rfc2621.txt- "The collection of objects providing management of ../data/rfc/rfc2621.txt: a RADIUS Accounting Server." ../data/rfc/rfc2621.txt- ::= { radiusAccServMIBGroups 1 } ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-END ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-5. References -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 11] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- [5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, ../data/rfc/rfc2621.txt- M. and S. Waldbusser, "Structure of Management Information ../data/rfc/rfc2621.txt- Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access ../data/rfc/rfc2621.txt- Control Model for the Simple Network Management Protocol ../data/rfc/rfc2621.txt- (SNMP)", RFC 2575, April 1999. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt: [16] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 12] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-6. Security Considerations ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- There are management objects (radiusAccServConfigReset) defined in -- ../data/rfc/rfc2621.txt- There are a number of managed objects in this MIB that may contain ../data/rfc/rfc2621.txt- sensitive information. These are: ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- radiusAccClientAddress ../data/rfc/rfc2621.txt- This can be used to determine the address of the RADIUS ../data/rfc/rfc2621.txt: accounting client with which the server is communicating. ../data/rfc/rfc2621.txt- This information could be useful in impersonating the ../data/rfc/rfc2621.txt- client. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- radiusAccClientID This can be used to determine the client ID for the ../data/rfc/rfc2621.txt: accounting client with which the server is communicating. ../data/rfc/rfc2621.txt- This information could be useful in impersonating the ../data/rfc/rfc2621.txt- client. ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- It is thus important to control even GET access to these objects and ../data/rfc/rfc2621.txt- possibly to even encrypt the values of these object when sending them -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 13] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-8. Authors' Addresses ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- Bernard Aboba -- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-Zorn & Aboba Informational [Page 14] ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt:RFC 2621 RADIUS Accounting Server MIB June 1999 ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt-9. Full Copyright Statement ../data/rfc/rfc2621.txt- ../data/rfc/rfc2621.txt- Copyright (C) The Internet Society (1999). All Rights Reserved. -- ../data/rfc/rfc5433.txt- discard the packet. ../data/rfc/rfc5433.txt- ../data/rfc/rfc5433.txt- GPSK-1 contains no MAC protection, so provided it properly parses, it ../data/rfc/rfc5433.txt- MUST be accepted by the peer. If the EAP peer has no ciphersuites in ../data/rfc/rfc5433.txt- common with the server or decides the ID_Server is that of an ../data/rfc/rfc5433.txt: Authentication, Authorization, and Accounting (AAA) server to which ../data/rfc/rfc5433.txt- it does not wish to authenticate, the EAP peer MUST respond with an ../data/rfc/rfc5433.txt- EAP-NAK. ../data/rfc/rfc5433.txt- ../data/rfc/rfc5433.txt- For GPSK-2, if the ID_Peer is for an unknown user, the EAP server ../data/rfc/rfc5433.txt- MUST send either a "PSK Not Found" GPSK-Fail message or an -- ../data/rfc/rfc7944.txt- ../data/rfc/rfc7944.txt-11.1. AVP Codes ../data/rfc/rfc7944.txt- ../data/rfc/rfc7944.txt- The new AVP defined by this specification is listed in Section 9. ../data/rfc/rfc7944.txt- All AVP codes are allocated from the "AVP Codes" subregistry of the ../data/rfc/rfc7944.txt: "Authentication, Authorization, and Accounting (AAA) Parameters" ../data/rfc/rfc7944.txt- registry. ../data/rfc/rfc7944.txt- ../data/rfc/rfc7944.txt-12. Security Considerations ../data/rfc/rfc7944.txt- ../data/rfc/rfc7944.txt- DRMP gives Diameter nodes the ability to influence which requests are -- ../data/rfc/rfc2594.txt- Application MIB [24]. ../data/rfc/rfc2594.txt- ../data/rfc/rfc2594.txt- This document defines a set of managed objects to monitor WWW ../data/rfc/rfc2594.txt- services for short-term operational purposes, such as problem ../data/rfc/rfc2594.txt- detection and troubleshooting. No attempts are made here to cover ../data/rfc/rfc2594.txt: accounting or hit metering issues. ../data/rfc/rfc2594.txt- ../data/rfc/rfc2594.txt- The scope of the MIB is further limited by the requirement that an ../data/rfc/rfc2594.txt- implementation conforming to this MIB must be possible without ../data/rfc/rfc2594.txt- putting a huge CPU or memory burden on the WWW server implementation. ../data/rfc/rfc2594.txt- -- ../data/rfc/rfc5664.txt- When parity is present in the file, then there is an additional ../data/rfc/rfc5664.txt- computation to map from the file offset L to the offset that accounts ../data/rfc/rfc5664.txt- for embedded parity, L'. First compute L', and then use L' in the ../data/rfc/rfc5664.txt- above equations for C and O. ../data/rfc/rfc5664.txt- ../data/rfc/rfc5664.txt: L = file offset, not accounting for parity ../data/rfc/rfc5664.txt- P = number of parity devices in each stripe ../data/rfc/rfc5664.txt- W = group_width, if not zero, else size of olo_components array ../data/rfc/rfc5664.txt- N = L / (W-P * stripe_unit) ../data/rfc/rfc5664.txt- L' = N * (W * stripe_unit) + ../data/rfc/rfc5664.txt- (L % (W-P * stripe_unit)) -- ../data/rfc/rfc5664.txt- get C'. Finally, increase C' by one if the parity information comes ../data/rfc/rfc5664.txt- at or before C' within that stripe. The following equations ../data/rfc/rfc5664.txt- illustrate this by computing I, which is the index of the component ../data/rfc/rfc5664.txt- that contains parity for a given stripe. ../data/rfc/rfc5664.txt- ../data/rfc/rfc5664.txt: L = file offset, not accounting for parity ../data/rfc/rfc5664.txt- W = odm_group_width, if not zero, else size of olo_components array ../data/rfc/rfc5664.txt- N = L / (W-1 * stripe_unit) ../data/rfc/rfc5664.txt- (Compute L' as describe above) ../data/rfc/rfc5664.txt- (Compute C based on L' as described above) ../data/rfc/rfc5664.txt- C' = (C - (N%W)) % W -- ../data/rfc/rfc3837.txt- 2.2.9. Denial of Service (DoS) . . . . . . . . . . . . 9 ../data/rfc/rfc3837.txt- 2.2.10. Tracing and Notification Information . . . . . . 9 ../data/rfc/rfc3837.txt- 2.2.11. Unauthenticated Communication in OPES Flow . . . 9 ../data/rfc/rfc3837.txt- 3. Threats to Out-of-Band Data . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3837.txt- 3.1. Threats that Endanger the OPES Data Flow . . . . . . . . 10 ../data/rfc/rfc3837.txt: 3.2. Inaccurate Accounting Information . . . . . . . . . . . 10 ../data/rfc/rfc3837.txt- 3.3. OPES Service Request Repudiation . . . . . . . . . . . . 11 ../data/rfc/rfc3837.txt- 3.4. Inconsistent Privacy Policy . . . . . . . . . . . . . . 11 ../data/rfc/rfc3837.txt- 3.5. Exposure of Privacy Preferences . . . . . . . . . . . . 11 ../data/rfc/rfc3837.txt- 3.6. Exposure of Security Settings . . . . . . . . . . . . . 11 ../data/rfc/rfc3837.txt- 3.7. Improper Enforcement of Privacy and Security Policy . . 11 -- ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt- An OPES system implementation should address all these threats and ../data/rfc/rfc3837.txt- prove its robustness and ability to withstand malicious attacks or ../data/rfc/rfc3837.txt- networking and programming problems. ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt:3.2. Inaccurate Accounting Information ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt: Collecting and reporting accurate accounting data may be vital when ../data/rfc/rfc3837.txt- OPES servers are used to extend a business model of a content ../data/rfc/rfc3837.txt- provider, service provider, or as a basis for third party service. ../data/rfc/rfc3837.txt: The ability to collect and process accounting data is an important ../data/rfc/rfc3837.txt- part of OPES' system functionality. This functionality may be ../data/rfc/rfc3837.txt: challenged by distortion or destruction of base accounting data ../data/rfc/rfc3837.txt: (usually logs), processed accounting data, accounting parameters, and ../data/rfc/rfc3837.txt- reporting configuration. ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt- As a result a data consumer may be inappropriately charged for ../data/rfc/rfc3837.txt- viewing content that was not successfully delivered, or a content ../data/rfc/rfc3837.txt- provider or independent OPES services provider may not be compensated ../data/rfc/rfc3837.txt- for the services performed. ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt: The OPES system may use accounting information to distribute ../data/rfc/rfc3837.txt- resources between different consumers or limit resource usage by a ../data/rfc/rfc3837.txt: specific consumer. In this case an attack on the accounting system ../data/rfc/rfc3837.txt- (by distortion of data or issuing false configuration commands) may ../data/rfc/rfc3837.txt- result in incorrect resource management and DoS by artificial ../data/rfc/rfc3837.txt- resource starvation. ../data/rfc/rfc3837.txt- ../data/rfc/rfc3837.txt- -- ../data/rfc/rfc1946.txt- ../data/rfc/rfc1946.txt- The requested maximum byte transmission rate for ST-2 is: ../data/rfc/rfc1946.txt- ../data/rfc/rfc1946.txt- PDUbytes * PDUrate * 10. ../data/rfc/rfc1946.txt- ../data/rfc/rfc1946.txt: Accounting for the AAL 5 and ST headers, the maximum byte rate ../data/rfc/rfc1946.txt- is: ../data/rfc/rfc1946.txt- ../data/rfc/rfc1946.txt- Bytes per second = (PDUbytes + 8 + 8) * PDUrate * 10. ../data/rfc/rfc1946.txt- ../data/rfc/rfc1946.txt- Translating into cells and eliminating the possibility of a -- ../data/rfc/rfc8565.txt- A generic solution to this problem is to use an "Anti-HTJP-Nonce" ../data/rfc/rfc8565.txt- HTTP header in HTTP responses. The value of an "Anti-HTJP-Nonce" ../data/rfc/rfc8565.txt- header SHOULD be a cryptographically secure random number in any ../data/rfc/rfc8565.txt- encoding that is valid for an HTTP header value. The length of this ../data/rfc/rfc8565.txt- number SHOULD be determined by the producer of the HTTP response, ../data/rfc/rfc8565.txt: accounting for their method of random number generation and their ../data/rfc/rfc8565.txt- threat model. ../data/rfc/rfc8565.txt- ../data/rfc/rfc8565.txt-7.2. HTJPS ../data/rfc/rfc8565.txt- ../data/rfc/rfc8565.txt- HTJP, being just HTTP, has most of the same security concerns and -- ../data/rfc/rfc5475.txt- counts [JePP92] up to the estimation of whole distributions of flow ../data/rfc/rfc5475.txt- characteristics (e.g., packet sizes) [ClPB93]. ../data/rfc/rfc5475.txt- ../data/rfc/rfc5475.txt- Second, the required accuracy of the information and with this, the ../data/rfc/rfc5475.txt- confidence that is aimed at, should be known in advance. For ../data/rfc/rfc5475.txt: instance, for usage-based accounting the required confidence for the ../data/rfc/rfc5475.txt- estimation of packet counters can depend on the monetary value that ../data/rfc/rfc5475.txt- corresponds to the transfer of one packet. That means that a higher ../data/rfc/rfc5475.txt- confidence could be required for expensive packet flows (e.g., ../data/rfc/rfc5475.txt- premium IP service) than for cheaper flows (e.g., best effort). The ../data/rfc/rfc5475.txt- accuracy requirements for validating a previously agreed quality can -- ../data/rfc/rfc5475.txt- [DuLT01] N.G. Duffield, C. Lund, and M. Thorup, "Charging from ../data/rfc/rfc5475.txt- Sampled Network Usage", ACM Internet Measurement Workshop ../data/rfc/rfc5475.txt- IMW 2001, San Francisco, USA, November 1-2, 2001. ../data/rfc/rfc5475.txt- ../data/rfc/rfc5475.txt- [EsVa01] C. Estan and G. Varghese, "New Directions in Traffic ../data/rfc/rfc5475.txt: Measurement and Accounting", ACM SIGCOMM Internet ../data/rfc/rfc5475.txt- Measurement Workshop 2001, San Francisco (CA) Nov. 2001. ../data/rfc/rfc5475.txt- ../data/rfc/rfc5475.txt- [GoRe07] S. Goldberg, J. Rexford, "Security Vulnerabilities and ../data/rfc/rfc5475.txt- Solutions for Packet Sampling", IEEE Sarnoff Symposium, ../data/rfc/rfc5475.txt- Princeton, NJ, May 2007. -- ../data/rfc/rfc1107.txt- ../data/rfc/rfc1107.txt- - Accountability: ../data/rfc/rfc1107.txt- ../data/rfc/rfc1107.txt- Accountability is important both for allocation and recovery of ../data/rfc/rfc1107.txt- costs. Vendors may provide commercial directory services, ../data/rfc/rfc1107.txt: therefore depending on accounting as part of their successful ../data/rfc/rfc1107.txt- commercial ventures. ../data/rfc/rfc1107.txt- ../data/rfc/rfc1107.txt- - Multiple Interfaces: ../data/rfc/rfc1107.txt- ../data/rfc/rfc1107.txt- There should be both human and programming interfaces to the -- ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt-Abstract ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt- Since the late 1980s, IEEE 802 and IETF have cooperated in the ../data/rfc/rfc4441.txt- development of Simple Network Management Protocol (SNMP) MIBs and ../data/rfc/rfc4441.txt: Authentication, Authorization, and Accounting (AAA) applications. ../data/rfc/rfc4441.txt- This document describes the policies and procedures that have ../data/rfc/rfc4441.txt- developed in order to coordinate between the two organizations, as ../data/rfc/rfc4441.txt- well as some of the relationship history. ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt-Table of Contents -- ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt-1. Introduction ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt- Since the late 1980s, participants in IEEE 802 and the IETF have ../data/rfc/rfc4441.txt- cooperated in the development of Management Information Bases (MIBs) ../data/rfc/rfc4441.txt: and Authentication, Authorization, and Accounting (AAA) applications ../data/rfc/rfc4441.txt- relating to IEEE standards. This has included the Bridge MIB ../data/rfc/rfc4441.txt- [RFC1493] [RFC4188], the multicast filtering and VLAN extension MIB ../data/rfc/rfc4441.txt- [RFC2674] [RFC4363], the Hub MIB [RFC2108], the Ethernet-like ../data/rfc/rfc4441.txt- Interfaces MIB [RFC3635], the MAU MIB [RFC3636], the WAN Interfaces ../data/rfc/rfc4441.txt- Sublayer MIB [RFC3637], the Power Ethernet MIB [RFC3621], IEEE 802.1X -- ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4441.txt- "Remote Authentication Dial In User Service ../data/rfc/rfc4441.txt- (RADIUS)", RFC 2865, June 2000. ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt- [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS ../data/rfc/rfc4441.txt: Accounting Modifications for Tunnel Protocol ../data/rfc/rfc4441.txt- Support", RFC 2867, June 2000. ../data/rfc/rfc4441.txt- ../data/rfc/rfc4441.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc4441.txt- Holdrege, M., and I. Goyret, "RADIUS Attributes for ../data/rfc/rfc4441.txt- Tunnel Protocol Support", RFC 2868, June 2000. -- ../data/rfc/rfc3588.txt- Copyright (C) The Internet Society (2003). All Rights Reserved. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Abstract ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Diameter base protocol is intended to provide an Authentication, ../data/rfc/rfc3588.txt: Authorization and Accounting (AAA) framework for applications such as ../data/rfc/rfc3588.txt- network access or IP mobility. Diameter is also intended to work in ../data/rfc/rfc3588.txt: both local Authentication, Authorization & Accounting and roaming ../data/rfc/rfc3588.txt- situations. This document specifies the message format, transport, ../data/rfc/rfc3588.txt: error reporting, accounting and security services to be used by all ../data/rfc/rfc3588.txt- Diameter applications. The Diameter base application needs to be ../data/rfc/rfc3588.txt- supported by all Diameter implementations. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Conventions Used In This Document ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- 1.1.1. Description of the Document Set.............. 10 ../data/rfc/rfc3588.txt- 1.2. Approach to Extensibility............................. 11 ../data/rfc/rfc3588.txt- 1.2.1. Defining New AVP Values...................... 11 ../data/rfc/rfc3588.txt- 1.2.2. Creating New AVPs............................ 11 ../data/rfc/rfc3588.txt- 1.2.3. Creating New Authentication Applications..... 11 ../data/rfc/rfc3588.txt: 1.2.4. Creating New Accounting Applications......... 12 ../data/rfc/rfc3588.txt- 1.2.5. Application Authentication Procedures........ 14 ../data/rfc/rfc3588.txt- 1.3. Terminology........................................... 14 ../data/rfc/rfc3588.txt- 2. Protocol Overview............................................ 18 ../data/rfc/rfc3588.txt- 2.1. Transport............................................. 20 ../data/rfc/rfc3588.txt- 2.1.1. SCTP Guidelines.............................. 21 -- ../data/rfc/rfc3588.txt- 7.5. Failed-AVP AVP........................................ 89 ../data/rfc/rfc3588.txt- 7.6. Experimental-Result AVP............................... 90 ../data/rfc/rfc3588.txt- 7.7. Experimental-Result-Code AVP.......................... 90 ../data/rfc/rfc3588.txt- 8. Diameter User Sessions....................................... 90 ../data/rfc/rfc3588.txt- 8.1. Authorization Session State Machine................... 92 ../data/rfc/rfc3588.txt: 8.2. Accounting Session State Machine...................... 96 ../data/rfc/rfc3588.txt- 8.3. Server-Initiated Re-Auth.............................. 101 ../data/rfc/rfc3588.txt- 8.3.1. Re-Auth-Request.............................. 102 ../data/rfc/rfc3588.txt- 8.3.2. Re-Auth-Answer............................... 102 ../data/rfc/rfc3588.txt- 8.4. Session Termination................................... 103 ../data/rfc/rfc3588.txt- 8.4.1. Session-Termination-Request.................. 104 -- ../data/rfc/rfc3588.txt- 8.17. Session-Binding AVP................................... 113 ../data/rfc/rfc3588.txt- 8.18. Session-Server-Failover AVP........................... 113 ../data/rfc/rfc3588.txt- 8.19. Multi-Round-Time-Out AVP.............................. 114 ../data/rfc/rfc3588.txt- 8.20. Class AVP............................................. 114 ../data/rfc/rfc3588.txt- 8.21. Event-Timestamp AVP................................... 115 ../data/rfc/rfc3588.txt: 9. Accounting................................................... 115 ../data/rfc/rfc3588.txt- 9.1. Server Directed Model................................. 115 ../data/rfc/rfc3588.txt- 9.2. Protocol Messages..................................... 116 ../data/rfc/rfc3588.txt- 9.3. Application Document Requirements..................... 116 ../data/rfc/rfc3588.txt- 9.4. Fault Resilience...................................... 116 ../data/rfc/rfc3588.txt: 9.5. Accounting Records.................................... 117 ../data/rfc/rfc3588.txt: 9.6. Correlation of Accounting Records..................... 118 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 4] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: 9.7. Accounting Command-Codes.............................. 119 ../data/rfc/rfc3588.txt: 9.7.1. Accounting-Request........................... 119 ../data/rfc/rfc3588.txt: 9.7.2. Accounting-Answer............................ 120 ../data/rfc/rfc3588.txt: 9.8. Accounting AVPs....................................... 121 ../data/rfc/rfc3588.txt: 9.8.1. Accounting-Record-Type AVP................... 121 ../data/rfc/rfc3588.txt- 9.8.2. Acct-Interim-Interval AVP.................... 122 ../data/rfc/rfc3588.txt: 9.8.3. Accounting-Record-Number AVP................. 123 ../data/rfc/rfc3588.txt- 9.8.4. Acct-Session-Id AVP.......................... 123 ../data/rfc/rfc3588.txt- 9.8.5. Acct-Multi-Session-Id AVP.................... 123 ../data/rfc/rfc3588.txt: 9.8.6. Accounting-Sub-Session-Id AVP................ 123 ../data/rfc/rfc3588.txt: 9.8.7. Accounting-Realtime-Required AVP............. 123 ../data/rfc/rfc3588.txt- 10. AVP Occurrence Table......................................... 124 ../data/rfc/rfc3588.txt- 10.1. Base Protocol Command AVP Table....................... 124 ../data/rfc/rfc3588.txt: 10.2. Accounting AVP Table.................................. 126 ../data/rfc/rfc3588.txt- 11. IANA Considerations.......................................... 127 ../data/rfc/rfc3588.txt- 11.1. AVP Header............................................ 127 ../data/rfc/rfc3588.txt- 11.1.1. AVP Code..................................... 127 ../data/rfc/rfc3588.txt- 11.1.2. AVP Flags.................................... 128 ../data/rfc/rfc3588.txt- 11.2. Diameter Header....................................... 128 ../data/rfc/rfc3588.txt- 11.2.1. Command Codes................................ 128 ../data/rfc/rfc3588.txt- 11.2.2. Command Flags................................ 129 ../data/rfc/rfc3588.txt- 11.3. Application Identifiers............................... 129 ../data/rfc/rfc3588.txt- 11.4. AVP Values............................................ 129 ../data/rfc/rfc3588.txt- 11.4.1. Result-Code AVP Values....................... 129 ../data/rfc/rfc3588.txt: 11.4.2. Accounting-Record-Type AVP Values............ 130 ../data/rfc/rfc3588.txt- 11.4.3. Termination-Cause AVP Values................. 130 ../data/rfc/rfc3588.txt- 11.4.4. Redirect-Host-Usage AVP Values............... 130 ../data/rfc/rfc3588.txt- 11.4.5. Session-Server-Failover AVP Values........... 130 ../data/rfc/rfc3588.txt- 11.4.6. Session-Binding AVP Values................... 130 ../data/rfc/rfc3588.txt- 11.4.7. Disconnect-Cause AVP Values.................. 130 ../data/rfc/rfc3588.txt- 11.4.8. Auth-Request-Type AVP Values................. 130 ../data/rfc/rfc3588.txt- 11.4.9. Auth-Session-State AVP Values................ 130 ../data/rfc/rfc3588.txt- 11.4.10. Re-Auth-Request-Type AVP Values.............. 131 ../data/rfc/rfc3588.txt: 11.4.11. Accounting-Realtime-Required AVP Values...... 131 ../data/rfc/rfc3588.txt- 11.5. Diameter TCP/SCTP Port Numbers........................ 131 ../data/rfc/rfc3588.txt- 11.6. NAPTR Service Fields.................................. 131 ../data/rfc/rfc3588.txt- 12. Diameter Protocol Related Configurable Parameters............ 131 ../data/rfc/rfc3588.txt- 13. Security Considerations...................................... 132 ../data/rfc/rfc3588.txt- 13.1. IPsec Usage........................................... 133 -- ../data/rfc/rfc3588.txt- Authors' Addresses............................................... 146 ../data/rfc/rfc3588.txt- Full Copyright Statement......................................... 147 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-1. Introduction ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Authentication, Authorization and Accounting (AAA) protocols such as ../data/rfc/rfc3588.txt- TACACS [TACACS] and RADIUS [RADIUS] were initially deployed to ../data/rfc/rfc3588.txt- provide dial-up PPP [PPP] and terminal server access. Over time, ../data/rfc/rfc3588.txt- with the growth of the Internet and the introduction of new access ../data/rfc/rfc3588.txt- technologies, including wireless, DSL, Mobile IP and Ethernet, ../data/rfc/rfc3588.txt- routers and network access servers (NAS) have increased in complexity -- ../data/rfc/rfc3588.txt- scheme that is required only for use with Response packets. While ../data/rfc/rfc3588.txt- [RADEXT] defines an additional authentication and integrity ../data/rfc/rfc3588.txt- mechanism, use is only required during Extensible Authentication ../data/rfc/rfc3588.txt- Protocol (EAP) sessions. While attribute-hiding is supported, ../data/rfc/rfc3588.txt- [RADIUS] does not provide support for per-packet confidentiality. ../data/rfc/rfc3588.txt: In accounting, [RADACCT] assumes that replay protection is ../data/rfc/rfc3588.txt- provided by the backend billing server, rather than within the ../data/rfc/rfc3588.txt- protocol itself. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- While [RFC3162] defines the use of IPsec with RADIUS, support for ../data/rfc/rfc3588.txt- IPsec is not required. Since within [IKE] authentication occurs -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Reliable transport ../data/rfc/rfc3588.txt- RADIUS runs over UDP, and does not define retransmission behavior; ../data/rfc/rfc3588.txt- as a result, reliability varies between implementations. As ../data/rfc/rfc3588.txt: described in [ACCMGMT], this is a major issue in accounting, where ../data/rfc/rfc3588.txt- packet loss may translate directly into revenue loss. In order to ../data/rfc/rfc3588.txt- provide well defined transport behavior, Diameter runs over ../data/rfc/rfc3588.txt- reliable transport mechanisms (TCP, SCTP) as defined in ../data/rfc/rfc3588.txt- [AAATRANS]. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- - Capabilities negotiation ../data/rfc/rfc3588.txt- - Error notification ../data/rfc/rfc3588.txt- - Extensibility, through addition of new commands and AVPs (required ../data/rfc/rfc3588.txt- in [AAAREQ]). ../data/rfc/rfc3588.txt- - Basic services necessary for applications, such as handling of ../data/rfc/rfc3588.txt: user sessions or accounting ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- All data delivered by the protocol is in the form of an AVP. Some of ../data/rfc/rfc3588.txt- these AVP values are used by the Diameter protocol itself, while ../data/rfc/rfc3588.txt- others deliver data associated with particular applications that ../data/rfc/rfc3588.txt- employ Diameter. AVPs may be added arbitrarily to Diameter messages, -- ../data/rfc/rfc3588.txt- - Transporting of service specific authorization information, ../data/rfc/rfc3588.txt- between client and servers, allowing the peers to decide whether a ../data/rfc/rfc3588.txt- user's access request should be granted. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Exchanging resource usage information, which MAY be used for ../data/rfc/rfc3588.txt: accounting purposes, capacity planning, etc. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Relaying, proxying and redirecting of Diameter messages through a ../data/rfc/rfc3588.txt- server hierarchy. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Diameter base protocol provides the minimum requirements needed ../data/rfc/rfc3588.txt- for a AAA protocol, as required by [AAAREQ]. The base protocol may ../data/rfc/rfc3588.txt: be used by itself for accounting purposes only, or it may be used ../data/rfc/rfc3588.txt- with a Diameter application, such as Mobile IPv4 [DIAMMIP], or ../data/rfc/rfc3588.txt- network access [NASREQ]. It is also possible for the base protocol ../data/rfc/rfc3588.txt- to be extended for use in new applications, via the addition of new ../data/rfc/rfc3588.txt- commands or AVPs. At this time the focus of Diameter is network ../data/rfc/rfc3588.txt: access and accounting applications. A truly generic AAA protocol ../data/rfc/rfc3588.txt- used by many applications might provide functionality not provided by ../data/rfc/rfc3588.txt- Diameter. Therefore, it is imperative that the designers of new ../data/rfc/rfc3588.txt- applications understand their requirements before using Diameter. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- Any node can initiate a request. In that sense, Diameter is a peer- ../data/rfc/rfc3588.txt- to-peer protocol. In this document, a Diameter Client is a device at ../data/rfc/rfc3588.txt- the edge of the network that performs access control, such as a ../data/rfc/rfc3588.txt- Network Access Server (NAS) or a Foreign Agent (FA). A Diameter ../data/rfc/rfc3588.txt- client generates Diameter messages to request authentication, ../data/rfc/rfc3588.txt: authorization, and accounting services for the user. A Diameter ../data/rfc/rfc3588.txt- agent is a node that does not authenticate and/or authorize messages ../data/rfc/rfc3588.txt- locally; agents include proxies, redirects and relay agents. A ../data/rfc/rfc3588.txt- Diameter server performs authentication and/or authorization of the ../data/rfc/rfc3588.txt- user. A Diameter node MAY act as an agent for certain requests while ../data/rfc/rfc3588.txt- acting as a server for others. -- ../data/rfc/rfc3588.txt- Terminal Server Access environment. Consideration was given for ../data/rfc/rfc3588.txt- servers that need to perform protocol conversion between Diameter and ../data/rfc/rfc3588.txt- RADIUS. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- In summary, this document defines the base protocol specification for ../data/rfc/rfc3588.txt: AAA, which includes support for accounting. The Mobile IPv4 and the ../data/rfc/rfc3588.txt- NASREQ documents describe applications that use this base ../data/rfc/rfc3588.txt: specification for Authentication, Authorization and Accounting. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- mechanisms, including: ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Defining new AVP values ../data/rfc/rfc3588.txt- - Creating new AVPs ../data/rfc/rfc3588.txt- - Creating new authentication/authorization applications ../data/rfc/rfc3588.txt: - Creating new accounting applications ../data/rfc/rfc3588.txt- - Application authentication procedures ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Reuse of existing AVP values, AVPs and Diameter applications are ../data/rfc/rfc3588.txt- strongly recommended. Reuse simplifies standardization and ../data/rfc/rfc3588.txt- implementation and avoids potential interoperability issues. It is -- ../data/rfc/rfc3588.txt- In order to justify allocation of a new application identifier, ../data/rfc/rfc3588.txt- Diameter applications MUST define one Command Code, or add new ../data/rfc/rfc3588.txt- mandatory AVPs to the ABNF. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The expected AVPs MUST be defined in an ABNF [ABNF] grammar (see ../data/rfc/rfc3588.txt: Section 3.2). If the Diameter application has accounting ../data/rfc/rfc3588.txt- requirements, it MUST also specify the AVPs that are to be present in ../data/rfc/rfc3588.txt: the Diameter Accounting messages (see Section 9.3). However, just ../data/rfc/rfc3588.txt- because a new authentication application id is required, does not ../data/rfc/rfc3588.txt: imply that a new accounting application id is required. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- When possible, a new Diameter application SHOULD reuse existing ../data/rfc/rfc3588.txt- Diameter AVPs, in order to avoid defining multiple AVPs that carry ../data/rfc/rfc3588.txt- similar information. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:1.2.4. Creating New Accounting Applications ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: There are services that only require Diameter accounting. Such ../data/rfc/rfc3588.txt: services need to define the AVPs carried in the Accounting-Request ../data/rfc/rfc3588.txt: (ACR)/ Accounting-Answer (ACA) messages, but do not need to define ../data/rfc/rfc3588.txt- new command codes. An implementation MAY add arbitrary non-mandatory ../data/rfc/rfc3588.txt- AVPs (AVPs with the "M" bit not set) to any command defined in an ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- application, including vendor-specific AVPs, without needing to ../data/rfc/rfc3588.txt: define a new accounting application. Please refer to Section 11.1.1 ../data/rfc/rfc3588.txt- for details. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Application Identifiers are still required for Diameter capability ../data/rfc/rfc3588.txt: exchange. Every Diameter accounting application specification MUST ../data/rfc/rfc3588.txt- have an IANA assigned Application Identifier (see Section 2.4) or a ../data/rfc/rfc3588.txt- vendor specific Application Identifier. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Every Diameter implementation MUST support accounting. Basic ../data/rfc/rfc3588.txt: accounting support is sufficient to handle any application that uses ../data/rfc/rfc3588.txt- the ACR/ACA commands defined in this document, as long as no new ../data/rfc/rfc3588.txt- mandatory AVPs are added. A mandatory AVP is defined as one which ../data/rfc/rfc3588.txt: has the "M" bit set when sent within an accounting command, ../data/rfc/rfc3588.txt- regardless of whether it is required or optional within the ABNF for ../data/rfc/rfc3588.txt: the accounting application. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The creation of a new accounting application should be viewed as a ../data/rfc/rfc3588.txt- last resort and MUST NOT be used unless a new command or additional ../data/rfc/rfc3588.txt- mechanisms (e.g., application defined state machine) is defined ../data/rfc/rfc3588.txt- within the application, or new mandatory AVPs are added to the ABNF. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Within an accounting command, setting the "M" bit implies that a ../data/rfc/rfc3588.txt: backend server (e.g., billing server) or the accounting server itself ../data/rfc/rfc3588.txt- MUST understand the AVP in order to compute a correct bill. If the ../data/rfc/rfc3588.txt- AVP is not relevant to the billing process, when the AVP is included ../data/rfc/rfc3588.txt: within an accounting command, it MUST NOT have the "M" bit set, even ../data/rfc/rfc3588.txt- if the "M" bit is set when the same AVP is used within other Diameter ../data/rfc/rfc3588.txt- commands (i.e., authentication/authorization commands). ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: A DIAMETER base accounting implementation MUST be configurable to ../data/rfc/rfc3588.txt: advertise supported accounting applications in order to prevent the ../data/rfc/rfc3588.txt: accounting server from accepting accounting requests for unbillable ../data/rfc/rfc3588.txt: services. The combination of the home domain and the accounting ../data/rfc/rfc3588.txt- application Id can be used in order to route the request to the ../data/rfc/rfc3588.txt: appropriate accounting server. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: When possible, a new Diameter accounting application SHOULD attempt ../data/rfc/rfc3588.txt- to reuse existing AVPs, in order to avoid defining multiple AVPs that ../data/rfc/rfc3588.txt- carry similar information. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: If the base accounting is used without any mandatory AVPs, new ../data/rfc/rfc3588.txt- commands or additional mechanisms (e.g., application defined state ../data/rfc/rfc3588.txt: machine), then the base protocol defined standard accounting ../data/rfc/rfc3588.txt- application Id (Section 2.4) MUST be used in ACR/ACA commands. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- such as Extensible Authentication Protocol [EAP], SHOULD be used. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-1.3. Terminology ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- AAA ../data/rfc/rfc3588.txt: Authentication, Authorization and Accounting. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Accounting ../data/rfc/rfc3588.txt- The act of collecting information on resource usage for the ../data/rfc/rfc3588.txt- purpose of capacity planning, auditing, billing or cost ../data/rfc/rfc3588.txt- allocation. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Accounting Record ../data/rfc/rfc3588.txt: An accounting record represents a summary of the resource ../data/rfc/rfc3588.txt: consumption of a user over the entire session. Accounting servers ../data/rfc/rfc3588.txt: creating the accounting record may do so by processing interim ../data/rfc/rfc3588.txt: accounting events or accounting events from several devices ../data/rfc/rfc3588.txt- serving the same user. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Authentication ../data/rfc/rfc3588.txt- The act of verifying the identity of an entity (subject). ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- AVP ../data/rfc/rfc3588.txt- The Diameter protocol consists of a header followed by one or more ../data/rfc/rfc3588.txt- Attribute-Value-Pairs (AVPs). An AVP includes a header and is ../data/rfc/rfc3588.txt- used to encapsulate protocol-specific data (e.g., routing ../data/rfc/rfc3588.txt- information) as well as authentication, authorization or ../data/rfc/rfc3588.txt: accounting information. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Broker ../data/rfc/rfc3588.txt- A broker is a business term commonly used in AAA infrastructures. ../data/rfc/rfc3588.txt- A broker is either a relay, proxy or redirect agent, and MAY be ../data/rfc/rfc3588.txt- operated by roaming consortiums. Depending on the business model, -- ../data/rfc/rfc3588.txt- A Diameter Security Exchange is a process through which two ../data/rfc/rfc3588.txt- Diameter nodes establish end-to-end security. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Server ../data/rfc/rfc3588.txt- A Diameter Server is one that handles authentication, ../data/rfc/rfc3588.txt: authorization and accounting requests for a particular realm. By ../data/rfc/rfc3588.txt- its very nature, a Diameter Server MUST support Diameter ../data/rfc/rfc3588.txt- applications in addition to the base protocol. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Downstream ../data/rfc/rfc3588.txt- Downstream is used to identify the direction of a particular -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 15] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Interim accounting ../data/rfc/rfc3588.txt: An interim accounting message provides a snapshot of usage during ../data/rfc/rfc3588.txt- a user's session. It is typically implemented in order to provide ../data/rfc/rfc3588.txt: for partial accounting of a user's session in the case of a device ../data/rfc/rfc3588.txt- reboot or other network problem prevents the reception of a ../data/rfc/rfc3588.txt- session summary message or session record. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Local Realm ../data/rfc/rfc3588.txt- A local realm is the administrative domain providing services to a -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 16] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Real-time Accounting ../data/rfc/rfc3588.txt: Real-time accounting involves the processing of information on ../data/rfc/rfc3588.txt- resource usage within a defined time window. Time constraints are ../data/rfc/rfc3588.txt- typically imposed in order to limit financial risk. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Relay Agent or Relay ../data/rfc/rfc3588.txt- Relays forward requests and responses based on routing-related -- ../data/rfc/rfc3588.txt- Sub-session ../data/rfc/rfc3588.txt- A sub-session represents a distinct service (e.g., QoS or data ../data/rfc/rfc3588.txt- characteristics) provided to a given session. These services may ../data/rfc/rfc3588.txt- happen concurrently (e.g., simultaneous voice and data transfer ../data/rfc/rfc3588.txt- during the same session) or serially. These changes in sessions ../data/rfc/rfc3588.txt: are tracked with the Accounting-Sub-Session-Id. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Transaction state ../data/rfc/rfc3588.txt- The Diameter protocol requires that agents maintain transaction ../data/rfc/rfc3588.txt- state, which is used for failover purposes. Transaction state ../data/rfc/rfc3588.txt- implies that upon forwarding a request, the Hop-by-Hop identifier -- ../data/rfc/rfc3588.txt- The entity requesting or using some resource, in support of which ../data/rfc/rfc3588.txt- a Diameter client has generated a request. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-2. Protocol Overview ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The base Diameter protocol may be used by itself for accounting ../data/rfc/rfc3588.txt- applications, but for use in authentication and authorization it is ../data/rfc/rfc3588.txt- always extended for a particular application. Two Diameter ../data/rfc/rfc3588.txt- applications are defined by companion documents: NASREQ [NASREQ], ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- Mobile IPv4 [DIAMMIP]. These applications are introduced in this ../data/rfc/rfc3588.txt- document but specified elsewhere. Additional Diameter applications ../data/rfc/rfc3588.txt- MAY be defined in the future (see Section 11.3). ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Clients MUST support the base protocol, which includes ../data/rfc/rfc3588.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc3588.txt- application that is needed to implement the client's service, e.g., ../data/rfc/rfc3588.txt- NASREQ and/or Mobile IPv4. A Diameter Client that does not support ../data/rfc/rfc3588.txt- both NASREQ and Mobile IPv4, MUST be referred to as "Diameter X ../data/rfc/rfc3588.txt- Client" where X is the application which it supports, and not a ../data/rfc/rfc3588.txt- "Diameter Client". ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Servers MUST support the base protocol, which includes ../data/rfc/rfc3588.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc3588.txt- application that is needed to implement the intended service, e.g., ../data/rfc/rfc3588.txt- NASREQ and/or Mobile IPv4. A Diameter Server that does not support ../data/rfc/rfc3588.txt- both NASREQ and Mobile IPv4, MUST be referred to as "Diameter X ../data/rfc/rfc3588.txt- Server" where X is the application which it supports, and not a ../data/rfc/rfc3588.txt- "Diameter Server". ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Relays and redirect agents are, by definition, protocol ../data/rfc/rfc3588.txt- transparent, and MUST transparently support the Diameter base ../data/rfc/rfc3588.txt: protocol, which includes accounting, and all Diameter applications. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter proxies MUST support the base protocol, which includes ../data/rfc/rfc3588.txt: accounting. In addition, they MUST fully support each Diameter ../data/rfc/rfc3588.txt- application that is needed to implement proxied services, e.g., ../data/rfc/rfc3588.txt- NASREQ and/or Mobile IPv4. A Diameter proxy which does not support ../data/rfc/rfc3588.txt- also both NASREQ and Mobile IPv4, MUST be referred to as "Diameter X ../data/rfc/rfc3588.txt- Proxy" where X is the application which it supports, and not a ../data/rfc/rfc3588.txt- "Diameter Proxy". -- ../data/rfc/rfc3588.txt- The following Application Identifier values are defined: ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Common Messages 0 ../data/rfc/rfc3588.txt- NASREQ 1 [NASREQ] ../data/rfc/rfc3588.txt- Mobile-IP 2 [DIAMMIP] ../data/rfc/rfc3588.txt: Diameter Base Accounting 3 ../data/rfc/rfc3588.txt- Relay 0xffffffff ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Relay and redirect agents MUST advertise the Relay Application ../data/rfc/rfc3588.txt- Identifier, while all other Diameter nodes MUST advertise locally ../data/rfc/rfc3588.txt- supported applications. The receiver of a Capabilities Exchange -- ../data/rfc/rfc3588.txt- - Never use end-to-end security. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Use end-to-end security on messages containing sensitive AVPs. ../data/rfc/rfc3588.txt- Which AVPs are sensitive is determined by service provider policy. ../data/rfc/rfc3588.txt- AVPs containing keys and passwords should be considered sensitive. ../data/rfc/rfc3588.txt: Accounting AVPs may be considered sensitive. Any AVP for which ../data/rfc/rfc3588.txt- the P bit may be set or which may be encrypted may be considered ../data/rfc/rfc3588.txt- sensitive. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Always use end-to-end security. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- transaction as specified by the contractual relationship between the ../data/rfc/rfc3588.txt- server and the previous hop. A DIAMETER_AUTHORIZATION_REJECTED error ../data/rfc/rfc3588.txt- message (see Section 7.1.5) is sent if the route traversed by the ../data/rfc/rfc3588.txt- request is unacceptable. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: A home realm may also wish to check that each accounting request ../data/rfc/rfc3588.txt- message corresponds to a Diameter response authorizing the session. ../data/rfc/rfc3588.txt: Accounting requests without corresponding authorization responses ../data/rfc/rfc3588.txt: SHOULD be subjected to further scrutiny, as should accounting ../data/rfc/rfc3588.txt- requests indicating a difference between the requested and provided ../data/rfc/rfc3588.txt- service. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Similarly, the local Diameter agent, on receiving a Diameter response ../data/rfc/rfc3588.txt- authorizing a session, MUST check the Route-Record AVPs to make sure -- ../data/rfc/rfc3588.txt- step, forwarding of an authorization response is considered evidence ../data/rfc/rfc3588.txt- of a willingness to take on financial risk relative to the session. ../data/rfc/rfc3588.txt- A local realm may wish to limit this exposure, for example, by ../data/rfc/rfc3588.txt- establishing credit limits for intermediate realms and refusing to ../data/rfc/rfc3588.txt- accept responses which would violate those limits. By issuing an ../data/rfc/rfc3588.txt: accounting request corresponding to the authorization response, the ../data/rfc/rfc3588.txt- local realm implicitly indicates its agreement to provide the service ../data/rfc/rfc3588.txt- indicated in the authorization response. If the service cannot be ../data/rfc/rfc3588.txt- provided by the local realm, then a DIAMETER_UNABLE_TO_COMPLY error ../data/rfc/rfc3588.txt: message MUST be sent within the accounting request; a Diameter client ../data/rfc/rfc3588.txt- receiving an authorization response for a service that it cannot ../data/rfc/rfc3588.txt- perform MUST NOT substitute an alternate service, and then send ../data/rfc/rfc3588.txt: accounting requests for the alternate service instead. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- 11.3). ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Application-ID ../data/rfc/rfc3588.txt- Application-ID is four octets and is used to identify to which ../data/rfc/rfc3588.txt- application the message is applicable for. The application can be ../data/rfc/rfc3588.txt: an authentication application, an accounting application or a ../data/rfc/rfc3588.txt- vendor specific application. See Section 11.3 for the possible ../data/rfc/rfc3588.txt- values that the application-id may use. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The application-id in the header MUST be the same as what is ../data/rfc/rfc3588.txt- contained in any relevant AVPs contained in the message. -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Command-Name Abbrev. Code Reference ../data/rfc/rfc3588.txt- -------------------------------------------------------- ../data/rfc/rfc3588.txt- Abort-Session-Request ASR 274 8.5.1 ../data/rfc/rfc3588.txt- Abort-Session-Answer ASA 274 8.5.2 ../data/rfc/rfc3588.txt: Accounting-Request ACR 271 9.7.1 ../data/rfc/rfc3588.txt: Accounting-Answer ACA 271 9.7.2 ../data/rfc/rfc3588.txt- Capabilities-Exchange- CER 257 5.3.1 ../data/rfc/rfc3588.txt- Request ../data/rfc/rfc3588.txt- Capabilities-Exchange- CEA 257 5.3.2 ../data/rfc/rfc3588.txt- Answer ../data/rfc/rfc3588.txt- Device-Watchdog-Request DWR 280 5.5.1 -- ../data/rfc/rfc3588.txt- Additional information, encoded within AVPs, MAY also be included in ../data/rfc/rfc3588.txt- answer messages. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-4. Diameter AVPs ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Diameter AVPs carry specific authentication, accounting, ../data/rfc/rfc3588.txt- authorization, routing and security information as well as ../data/rfc/rfc3588.txt- configuration details for the request and reply. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Some AVPs MAY be listed more than once. The effect of such an AVP is ../data/rfc/rfc3588.txt- specific, and is specified in each case by the AVP description. -- ../data/rfc/rfc3588.txt- AVP Section | | |SHLD| MUST| | ../data/rfc/rfc3588.txt- Attribute Name Code Defined Data Type |MUST| MAY | NOT| NOT|Encr| ../data/rfc/rfc3588.txt- -----------------------------------------|----+-----+----+-----|----| ../data/rfc/rfc3588.txt- Acct- 85 9.8.2 Unsigned32 | M | P | | V | Y | ../data/rfc/rfc3588.txt- Interim-Interval | | | | | | ../data/rfc/rfc3588.txt: Accounting- 483 9.8.7 Enumerated | M | P | | V | Y | ../data/rfc/rfc3588.txt- Realtime-Required | | | | | | ../data/rfc/rfc3588.txt- Acct- 50 9.8.5 UTF8String | M | P | | V | Y | ../data/rfc/rfc3588.txt- Multi-Session-Id | | | | | | ../data/rfc/rfc3588.txt: Accounting- 485 9.8.3 Unsigned32 | M | P | | V | Y | ../data/rfc/rfc3588.txt- Record-Number | | | | | | ../data/rfc/rfc3588.txt: Accounting- 480 9.8.1 Enumerated | M | P | | V | Y | ../data/rfc/rfc3588.txt- Record-Type | | | | | | ../data/rfc/rfc3588.txt: Accounting- 44 9.8.4 OctetString| M | P | | V | Y | ../data/rfc/rfc3588.txt- Session-Id | | | | | | ../data/rfc/rfc3588.txt: Accounting- 287 9.8.6 Unsigned64 | M | P | | V | Y | ../data/rfc/rfc3588.txt- Sub-Session-Id | | | | | | ../data/rfc/rfc3588.txt- Acct- 259 6.9 Unsigned32 | M | P | | V | N | ../data/rfc/rfc3588.txt- Application-Id | | | | | | ../data/rfc/rfc3588.txt- Auth- 258 6.8 Unsigned32 | M | P | | V | N | ../data/rfc/rfc3588.txt- Application-Id | | | | | | -- ../data/rfc/rfc3588.txt- specification and have an Application ID assigned. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-6.9. Acct-Application-Id AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Acct-Application-Id AVP (AVP Code 259) is of type Unsigned32 and ../data/rfc/rfc3588.txt: is used in order to advertise support of the Accounting portion of an ../data/rfc/rfc3588.txt- application (see Section 2.4). The Acct-Application-Id MUST also be ../data/rfc/rfc3588.txt: present in all Accounting messages. Exactly one of the Auth- ../data/rfc/rfc3588.txt- Application-Id and Acct-Application-Id AVPs MAY be present. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-6.10. Inband-Security-Id AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Inband-Security-Id AVP (AVP Code 299) is of type Unsigned32 and -- ../data/rfc/rfc3588.txt- The authentication process for the user failed, most likely due to ../data/rfc/rfc3588.txt- an invalid password used by the user. Further attempts MUST only ../data/rfc/rfc3588.txt- be tried after prompting the user for a new password. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- DIAMETER_OUT_OF_SPACE 4002 ../data/rfc/rfc3588.txt: A Diameter node received the accounting request but was unable to ../data/rfc/rfc3588.txt- commit it to stable storage due to a temporary lack of space. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ELECTION_LOST 4003 ../data/rfc/rfc3588.txt- The peer has determined that it has lost the election process and ../data/rfc/rfc3588.txt- has therefore disconnected the transport connection. -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-8. Diameter User Sessions ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter can provide two different types of services to applications. ../data/rfc/rfc3588.txt- The first involves authentication and authorization, and can ../data/rfc/rfc3588.txt: optionally make use of accounting. The second only makes use of ../data/rfc/rfc3588.txt: accounting. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 90] -- ../data/rfc/rfc3588.txt- When a service makes use of the authentication and/or authorization ../data/rfc/rfc3588.txt- portion of an application, and a user requests access to the network, ../data/rfc/rfc3588.txt- the Diameter client issues an auth request to its local server. The ../data/rfc/rfc3588.txt- auth request is defined in a service specific Diameter application ../data/rfc/rfc3588.txt- (e.g., NASREQ). The request contains a Session-Id AVP, which is used ../data/rfc/rfc3588.txt: in subsequent messages (e.g., subsequent authorization, accounting, ../data/rfc/rfc3588.txt- etc) relating to the user's session. The Session-Id AVP is a means ../data/rfc/rfc3588.txt- for the client and servers to correlate a Diameter message with a ../data/rfc/rfc3588.txt- user session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- When a Diameter server authorizes a user to use network resources for -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 91] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: When a service only makes use of the Accounting portion of the ../data/rfc/rfc3588.txt- Diameter protocol, even in combination with an application, the ../data/rfc/rfc3588.txt- Session-Id is still used to identify user sessions. However, the ../data/rfc/rfc3588.txt- session termination messages are not used, since a session is ../data/rfc/rfc3588.txt: signaled as being terminated by issuing an accounting stop message. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-8.1. Authorization Session State Machine ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- This section contains a set of finite state machines, representing ../data/rfc/rfc3588.txt- the life cycle of Diameter sessions, and which MUST be observed by -- ../data/rfc/rfc3588.txt- ------------------------------------------------------------- ../data/rfc/rfc3588.txt- Idle Service-specific authorization Send serv. Idle ../data/rfc/rfc3588.txt- request received, and specific ../data/rfc/rfc3588.txt- successfully processed answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:8.2. Accounting Session State Machine ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The following state machines MUST be supported for applications that ../data/rfc/rfc3588.txt: have an accounting portion or that require only accounting services. ../data/rfc/rfc3588.txt- The first state machine is to be observed by clients. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: See Section 9.7 for Accounting Command Codes and Section 9.8 for ../data/rfc/rfc3588.txt: Accounting AVPs. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The server side in the accounting state machine depends in some cases ../data/rfc/rfc3588.txt- on the particular application. The Diameter base protocol defines a ../data/rfc/rfc3588.txt- default state machine that MUST be followed by all applications that ../data/rfc/rfc3588.txt- have not specified other state machines. This is the second state ../data/rfc/rfc3588.txt- machine in this section described below. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The default server side state machine requires the reception of ../data/rfc/rfc3588.txt: accounting records in any order and at any time, and does not place ../data/rfc/rfc3588.txt- any standards requirement on the processing of these records. ../data/rfc/rfc3588.txt- Implementations of Diameter MAY perform checking, ordering, ../data/rfc/rfc3588.txt- correlation, fraud detection, and other tasks based on these records. ../data/rfc/rfc3588.txt- Both base Diameter AVPs as well as application specific AVPs MAY be ../data/rfc/rfc3588.txt- inspected as a part of these tasks. The tasks can happen either ../data/rfc/rfc3588.txt- immediately after record reception or in a post-processing phase. ../data/rfc/rfc3588.txt- However, as these tasks are typically application or even policy ../data/rfc/rfc3588.txt- dependent, they are not standardized by the Diameter specifications. ../data/rfc/rfc3588.txt: Applications MAY define requirements on when to accept accounting ../data/rfc/rfc3588.txt: records based on the used value of Accounting-Realtime-Required AVP, ../data/rfc/rfc3588.txt- credit limits checks, and so on. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- However, the Diameter base protocol defines one optional server side ../data/rfc/rfc3588.txt- state machine that MAY be followed by applications that require ../data/rfc/rfc3588.txt: keeping track of the session state at the accounting server. Note ../data/rfc/rfc3588.txt- that such tracking is incompatible with the ability to sustain long ../data/rfc/rfc3588.txt- duration connectivity problems. Therefore, the use of this state ../data/rfc/rfc3588.txt- machine is recommended only in applications where the value of the ../data/rfc/rfc3588.txt: Accounting-Realtime-Required AVP is DELIVER_AND_GRANT, and hence ../data/rfc/rfc3588.txt: accounting connectivity problems are required to cause the serviced ../data/rfc/rfc3588.txt- user to be disconnected. Otherwise, records produced by the client ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 96] -- ../data/rfc/rfc3588.txt- connectivity is re-established. This state machine is the third ../data/rfc/rfc3588.txt- state machine in this section. The state machine is supervised by a ../data/rfc/rfc3588.txt- supervision session timer Ts, which the value should be reasonably ../data/rfc/rfc3588.txt- higher than the Acct_Interim_Interval value. Ts MAY be set to two ../data/rfc/rfc3588.txt- times the value of the Acct_Interim_Interval so as to avoid the ../data/rfc/rfc3588.txt: accounting session in the Diameter server to change to Idle state in ../data/rfc/rfc3588.txt- case of short transient network failure. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Any event not listed in the state machines MUST be considered as an ../data/rfc/rfc3588.txt- error condition, and a corresponding answer, if applicable, MUST be ../data/rfc/rfc3588.txt- returned to the originator of the message. -- ../data/rfc/rfc3588.txt- In the state table, the event 'Failure to send' means that the ../data/rfc/rfc3588.txt- Diameter client is unable to communicate with the desired ../data/rfc/rfc3588.txt- destination. This could be due to the peer being down, or due to the ../data/rfc/rfc3588.txt- peer sending back a transient failure or temporary protocol error ../data/rfc/rfc3588.txt- notification DIAMETER_OUT_OF_SPACE, DIAMETER_TOO_BUSY, or ../data/rfc/rfc3588.txt: DIAMETER_LOOP_DETECTED in the Result-Code AVP of the Accounting ../data/rfc/rfc3588.txt- Answer command. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The event 'Failed answer' means that the Diameter client received a ../data/rfc/rfc3588.txt: non-transient failure notification in the Accounting Answer command. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Note that the action 'Disconnect user/dev' MUST have an effect also ../data/rfc/rfc3588.txt- to the authorization session state table, e.g., cause the STR message ../data/rfc/rfc3588.txt- to be sent, if the given application has both ../data/rfc/rfc3588.txt: authentication/authorization and accounting portions. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The states PendingS, PendingI, PendingL, PendingE and PendingB stand ../data/rfc/rfc3588.txt: for pending states to wait for an answer to an accounting request ../data/rfc/rfc3588.txt- related to a Start, Interim, Stop, Event or buffered record, ../data/rfc/rfc3588.txt- respectively. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: CLIENT, ACCOUNTING ../data/rfc/rfc3588.txt- State Event Action New State ../data/rfc/rfc3588.txt- ------------------------------------------------------------- ../data/rfc/rfc3588.txt- Idle Client or device requests Send PendingS ../data/rfc/rfc3588.txt: access accounting ../data/rfc/rfc3588.txt- start req. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Idle Client or device requests Send PendingE ../data/rfc/rfc3588.txt: a one-time service accounting ../data/rfc/rfc3588.txt- event req ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Idle Records in storage Send PendingB ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 97] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingS Successful accounting Open ../data/rfc/rfc3588.txt- start answer received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingS Failure to send and buffer Store Open ../data/rfc/rfc3588.txt- space available and realtime Start ../data/rfc/rfc3588.txt- not equal to DELIVER_AND_GRANT Record -- ../data/rfc/rfc3588.txt- PendingS Failure to send and no buffer Disconnect Idle ../data/rfc/rfc3588.txt- space available and realtime user/dev ../data/rfc/rfc3588.txt- not equal to ../data/rfc/rfc3588.txt- GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingS Failed accounting start answer Open ../data/rfc/rfc3588.txt- received and realtime equal ../data/rfc/rfc3588.txt- to GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingS Failed accounting start answer Disconnect Idle ../data/rfc/rfc3588.txt- received and realtime not user/dev ../data/rfc/rfc3588.txt- equal to GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingS User service terminated Store PendingS ../data/rfc/rfc3588.txt- stop ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Open Interim interval elapses Send PendingI ../data/rfc/rfc3588.txt: accounting ../data/rfc/rfc3588.txt- interim ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt- Open User service terminated Send PendingL ../data/rfc/rfc3588.txt: accounting ../data/rfc/rfc3588.txt- stop req. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingI Successful accounting interim Open ../data/rfc/rfc3588.txt- answer received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingI Failure to send and (buffer Store Open ../data/rfc/rfc3588.txt- space available or old record interim ../data/rfc/rfc3588.txt- can be overwritten) and record -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingI Failure to send and no buffer Disconnect Idle ../data/rfc/rfc3588.txt- space available and realtime user/dev ../data/rfc/rfc3588.txt- not equal to GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingI Failed accounting interim Open ../data/rfc/rfc3588.txt- answer received and realtime ../data/rfc/rfc3588.txt- equal to GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingI Failed accounting interim Disconnect Idle ../data/rfc/rfc3588.txt- answer received and realtime user/dev ../data/rfc/rfc3588.txt- not equal to GRANT_AND_LOSE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingI User service terminated Store PendingI ../data/rfc/rfc3588.txt- stop ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt: PendingE Successful accounting Idle ../data/rfc/rfc3588.txt- event answer received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingE Failure to send and buffer Store Idle ../data/rfc/rfc3588.txt- space available event ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingE Failure to send and no buffer Idle ../data/rfc/rfc3588.txt- space available ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingE Failed accounting event answer Idle ../data/rfc/rfc3588.txt- received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingB Successful accounting answer Delete Idle ../data/rfc/rfc3588.txt- received record ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingB Failure to send Idle ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingB Failed accounting answer Delete Idle ../data/rfc/rfc3588.txt- received record ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingL Successful accounting Idle ../data/rfc/rfc3588.txt- stop answer received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingL Failure to send and buffer Store Idle ../data/rfc/rfc3588.txt- space available stop ../data/rfc/rfc3588.txt- record ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- PendingL Failure to send and no buffer Idle ../data/rfc/rfc3588.txt- space available ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: PendingL Failed accounting stop answer Idle ../data/rfc/rfc3588.txt- received ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 99] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: SERVER, STATELESS ACCOUNTING ../data/rfc/rfc3588.txt- State Event Action New State ../data/rfc/rfc3588.txt- ------------------------------------------------------------- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting start request Send Idle ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed. start ../data/rfc/rfc3588.txt- answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting event request Send Idle ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed. event ../data/rfc/rfc3588.txt- answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Idle Interim record received, Send Idle ../data/rfc/rfc3588.txt: and successfully processed. accounting ../data/rfc/rfc3588.txt- interim ../data/rfc/rfc3588.txt- answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting stop request Send Idle ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed stop answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting request received, Send Idle ../data/rfc/rfc3588.txt: no space left to store accounting ../data/rfc/rfc3588.txt- records answer, ../data/rfc/rfc3588.txt- Result-Code ../data/rfc/rfc3588.txt- = OUT_OF_ ../data/rfc/rfc3588.txt- SPACE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: SERVER, STATEFUL ACCOUNTING ../data/rfc/rfc3588.txt- State Event Action New State ../data/rfc/rfc3588.txt- ------------------------------------------------------------- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting start request Send Open ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed. start ../data/rfc/rfc3588.txt- answer, ../data/rfc/rfc3588.txt- Start Ts ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting event request Send Idle ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed. event ../data/rfc/rfc3588.txt- answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 100] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Idle Accounting request received, Send Idle ../data/rfc/rfc3588.txt: no space left to store accounting ../data/rfc/rfc3588.txt- records answer, ../data/rfc/rfc3588.txt- Result-Code ../data/rfc/rfc3588.txt- = OUT_OF_ ../data/rfc/rfc3588.txt- SPACE ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Open Interim record received, Send Open ../data/rfc/rfc3588.txt: and successfully processed. accounting ../data/rfc/rfc3588.txt- interim ../data/rfc/rfc3588.txt- answer, ../data/rfc/rfc3588.txt- Restart Ts ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Open Accounting stop request Send Idle ../data/rfc/rfc3588.txt: received, and successfully accounting ../data/rfc/rfc3588.txt- processed stop answer, ../data/rfc/rfc3588.txt- Stop Ts ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Open Accounting request received, Send Idle ../data/rfc/rfc3588.txt: no space left to store accounting ../data/rfc/rfc3588.txt- records answer, ../data/rfc/rfc3588.txt- Result-Code ../data/rfc/rfc3588.txt- = OUT_OF_ ../data/rfc/rfc3588.txt- SPACE, ../data/rfc/rfc3588.txt- Stop Ts -- ../data/rfc/rfc3588.txt- Diameter Header (see Section 3). ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Session-Id MUST be globally and eternally unique, as it is meant ../data/rfc/rfc3588.txt- to uniquely identify a user session without reference to any other ../data/rfc/rfc3588.txt- information, and may be needed to correlate historical authentication ../data/rfc/rfc3588.txt: information with accounting information. The Session-Id includes a ../data/rfc/rfc3588.txt- mandatory portion and an implementation-defined portion; a ../data/rfc/rfc3588.txt- recommended format for the implementation-defined portion is outlined ../data/rfc/rfc3588.txt- below. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Session-Id MUST begin with the sender's identity encoded in the -- ../data/rfc/rfc3588.txt- Example, in which there is an optional value: ../data/rfc/rfc3588.txt- accesspoint7.acme.com;1876543210;523;mobile@200.1.1.88 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Session-Id is created by the Diameter application initiating the ../data/rfc/rfc3588.txt- session, which in most cases is done by the client. Note that a ../data/rfc/rfc3588.txt: Session-Id MAY be used for both the authorization and accounting ../data/rfc/rfc3588.txt- commands of a given application. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-8.9. Authorization-Lifetime AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Authorization-Lifetime AVP (AVP Code 291) is of type Unsigned32 -- ../data/rfc/rfc3588.txt- When set, the STR message for this session MUST NOT include the ../data/rfc/rfc3588.txt- Destination-Host AVP. When cleared, the default value, the ../data/rfc/rfc3588.txt- Destination-Host AVP MUST be present in the STR message for this ../data/rfc/rfc3588.txt- session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: ACCOUNTING 4 ../data/rfc/rfc3588.txt: When set, all accounting messages for this session MUST NOT ../data/rfc/rfc3588.txt- include the Destination-Host AVP. When cleared, the default ../data/rfc/rfc3588.txt- value, the Destination-Host AVP, if known, MUST be present in all ../data/rfc/rfc3588.txt: accounting messages for this session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-8.18. Session-Server-Failover AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Session-Server-Failover AVP (AVP Code 271) is of type Enumerated, ../data/rfc/rfc3588.txt- and MAY be present in application-specific authorization answer -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Class AVP (AVP Code 25) is of type OctetString and is used to by ../data/rfc/rfc3588.txt- Diameter servers to return state information to the access device. ../data/rfc/rfc3588.txt- When one or more Class AVPs are present in application-specific ../data/rfc/rfc3588.txt- authorization answer messages, they MUST be present in subsequent ../data/rfc/rfc3588.txt: re-authorization, session termination and accounting messages. Class ../data/rfc/rfc3588.txt- AVPs found in a re-authorization answer message override the ones ../data/rfc/rfc3588.txt- found in any previous authorization answer message. Diameter server ../data/rfc/rfc3588.txt- implementations SHOULD NOT return Class AVPs that require more than ../data/rfc/rfc3588.txt- 4096 bytes of storage on the Diameter client. A Diameter client that ../data/rfc/rfc3588.txt- receives Class AVPs whose size exceeds local available storage MUST -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-8.21. Event-Timestamp AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Event-Timestamp (AVP Code 55) is of type Time, and MAY be ../data/rfc/rfc3588.txt: included in an Accounting-Request and Accounting-Answer messages to ../data/rfc/rfc3588.txt- record the time that the reported event occurred, in seconds since ../data/rfc/rfc3588.txt- January 1, 1900 00:00 UTC. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9. Accounting ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: This accounting protocol is based on a server directed model with ../data/rfc/rfc3588.txt: capabilities for real-time delivery of accounting information. ../data/rfc/rfc3588.txt- Several fault resilience methods [ACCMGMT] have been built in to the ../data/rfc/rfc3588.txt: protocol in order minimize loss of accounting data in various fault ../data/rfc/rfc3588.txt- situations and under different assumptions about the capabilities of ../data/rfc/rfc3588.txt- the used devices. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.1. Server Directed Model ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The server directed model means that the device generating the ../data/rfc/rfc3588.txt: accounting data gets information from either the authorization server ../data/rfc/rfc3588.txt: (if contacted) or the accounting server regarding the way accounting ../data/rfc/rfc3588.txt: data shall be forwarded. This information includes accounting record ../data/rfc/rfc3588.txt- timeliness requirements. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: As discussed in [ACCMGMT], real-time transfer of accounting records ../data/rfc/rfc3588.txt- is a requirement, such as the need to perform credit limit checks and ../data/rfc/rfc3588.txt: fraud detection. Note that batch accounting is not a requirement, ../data/rfc/rfc3588.txt- and is therefore not supported by Diameter. Should batched ../data/rfc/rfc3588.txt: accounting be required in the future, a new Diameter application will ../data/rfc/rfc3588.txt- need to be created, or it could be handled using another protocol. ../data/rfc/rfc3588.txt: Note, however, that even if at the Diameter layer accounting requests ../data/rfc/rfc3588.txt- are processed one by one, transport protocols used under Diameter ../data/rfc/rfc3588.txt- typically batch several requests in the same packet under heavy ../data/rfc/rfc3588.txt- traffic conditions. This may be sufficient for many applications. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The authorization server (chain) directs the selection of proper ../data/rfc/rfc3588.txt- transfer strategy, based on its knowledge of the user and ../data/rfc/rfc3588.txt- relationships of roaming partnerships. The server (or agents) uses ../data/rfc/rfc3588.txt: the Acct-Interim-Interval and Accounting-Realtime-Required AVPs to ../data/rfc/rfc3588.txt- control the operation of the Diameter peer operating as a client. ../data/rfc/rfc3588.txt- The Acct-Interim-Interval AVP, when present, instructs the Diameter ../data/rfc/rfc3588.txt: node acting as a client to produce accounting records continuously ../data/rfc/rfc3588.txt: even during a session. Accounting-Realtime-Required AVP is used to ../data/rfc/rfc3588.txt: control the behavior of the client when the transfer of accounting ../data/rfc/rfc3588.txt- records from the Diameter client is delayed or unsuccessful. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 115] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Diameter accounting server MAY override the interim interval or ../data/rfc/rfc3588.txt- the realtime requirements by including the Acct-Interim-Interval or ../data/rfc/rfc3588.txt: Accounting-Realtime-Required AVP in the Accounting-Answer message. ../data/rfc/rfc3588.txt- When one of these AVPs is present, the latest value received SHOULD ../data/rfc/rfc3588.txt: be used in further accounting activities for the same session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.2. Protocol Messages ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- A Diameter node that receives a successful authentication and/or ../data/rfc/rfc3588.txt- authorization messages from the Home AAA server MUST collect ../data/rfc/rfc3588.txt: accounting information for the session. The Accounting-Request ../data/rfc/rfc3588.txt: message is used to transmit the accounting information to the Home ../data/rfc/rfc3588.txt: AAA server, which MUST reply with the Accounting-Answer message to ../data/rfc/rfc3588.txt: confirm reception. The Accounting-Answer message includes the ../data/rfc/rfc3588.txt- Result-Code AVP, which MAY indicate that an error was present in the ../data/rfc/rfc3588.txt: accounting message. A rejected Accounting-Request message MAY cause ../data/rfc/rfc3588.txt- the user's session to be terminated, depending on the value of the ../data/rfc/rfc3588.txt: Accounting-Realtime-Required AVP received earlier for the session in ../data/rfc/rfc3588.txt- question. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Each Diameter Accounting protocol message MAY be compressed, in order ../data/rfc/rfc3588.txt- to reduce network bandwidth usage. If IPsec and IKE are used to ../data/rfc/rfc3588.txt- secure the Diameter session, then IP compression [IPComp] MAY be used ../data/rfc/rfc3588.txt- and IKE [IKE] MAY be used to negotiate the compression parameters. ../data/rfc/rfc3588.txt- If TLS is used to secure the Diameter session, then TLS compression ../data/rfc/rfc3588.txt- [TLS] MAY be used. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.3. Application document requirements ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Each Diameter application (e.g., NASREQ, MobileIP), MUST define their ../data/rfc/rfc3588.txt: Service-Specific AVPs that MUST be present in the Accounting-Request ../data/rfc/rfc3588.txt: message in a section entitled "Accounting AVPs". The application ../data/rfc/rfc3588.txt- MUST assume that the AVPs described in this document will be present ../data/rfc/rfc3588.txt: in all Accounting messages, so only their respective service-specific ../data/rfc/rfc3588.txt- AVPs need to be defined in this section. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.4. Fault Resilience ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Base protocol mechanisms are used to overcome small message ../data/rfc/rfc3588.txt- loss and network faults of temporary nature. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter peers acting as clients MUST implement the use of failover ../data/rfc/rfc3588.txt- to guard against server failures and certain network failures. ../data/rfc/rfc3588.txt- Diameter peers acting as agents or related off-line processing ../data/rfc/rfc3588.txt: systems MUST detect duplicate accounting records caused by the ../data/rfc/rfc3588.txt- sending of same record to several servers and duplication of messages ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- in transit. This detection MUST be based on the inspection of the ../data/rfc/rfc3588.txt: Session-Id and Accounting-Record-Number AVP pairs. Appendix C ../data/rfc/rfc3588.txt- discusses duplicate detection needs and implementation issues. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter clients MAY have non-volatile memory for the safe storage of ../data/rfc/rfc3588.txt: accounting records over reboots or extended network failures, network ../data/rfc/rfc3588.txt- partitions, and server failures. If such memory is available, the ../data/rfc/rfc3588.txt: client SHOULD store new accounting records there as soon as the ../data/rfc/rfc3588.txt- records are created and until a positive acknowledgement of their ../data/rfc/rfc3588.txt- reception from the Diameter Server has been received. Upon a reboot, ../data/rfc/rfc3588.txt- the client MUST starting sending the records in the non-volatile ../data/rfc/rfc3588.txt: memory to the accounting server with appropriate modifications in ../data/rfc/rfc3588.txt- termination cause, session length, and other relevant information in ../data/rfc/rfc3588.txt- the records. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- A further application of this protocol may include AVPs to control ../data/rfc/rfc3588.txt: how many accounting records may at most be stored in the Diameter ../data/rfc/rfc3588.txt- client without committing them to the non-volatile memory or ../data/rfc/rfc3588.txt- transferring them to the Diameter server. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The client SHOULD NOT remove the accounting data from any of its ../data/rfc/rfc3588.txt: memory areas before the correct Accounting-Answer has been received. ../data/rfc/rfc3588.txt- The client MAY remove oldest, undelivered or yet unacknowledged ../data/rfc/rfc3588.txt: accounting data if it runs out of resources such as memory. It is an ../data/rfc/rfc3588.txt- implementation dependent matter for the client to accept new sessions ../data/rfc/rfc3588.txt- under this condition. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.5. Accounting Records ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: In all accounting records, the Session-Id AVP MUST be present; the ../data/rfc/rfc3588.txt- User-Name AVP MUST be present if it is available to the Diameter ../data/rfc/rfc3588.txt- client. If strong authentication across agents is required, end-to- ../data/rfc/rfc3588.txt- end security may be used for authentication purposes. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Different types of accounting records are sent depending on the ../data/rfc/rfc3588.txt- actual type of accounted service and the authorization server's ../data/rfc/rfc3588.txt: directions for interim accounting. If the accounted service is a ../data/rfc/rfc3588.txt- one-time event, meaning that the start and stop of the event are ../data/rfc/rfc3588.txt: simultaneous, then the Accounting-Record-Type AVP MUST be present and ../data/rfc/rfc3588.txt- set to the value EVENT_RECORD. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- If the accounted service is of a measurable length, then the AVP MUST ../data/rfc/rfc3588.txt- use the values START_RECORD, STOP_RECORD, and possibly, ../data/rfc/rfc3588.txt- INTERIM_RECORD. If the authorization server has not directed interim ../data/rfc/rfc3588.txt: accounting to be enabled for the session, two accounting records MUST ../data/rfc/rfc3588.txt- be generated for each service of type session. When the initial ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 117] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: Accounting-Request for a given session is sent, the Accounting- ../data/rfc/rfc3588.txt- Record-Type AVP MUST be set to the value START_RECORD. When the last ../data/rfc/rfc3588.txt: Accounting-Request is sent, the value MUST be STOP_RECORD. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: If the authorization server has directed interim accounting to be ../data/rfc/rfc3588.txt- enabled, the Diameter client MUST produce additional records between ../data/rfc/rfc3588.txt- the START_RECORD and STOP_RECORD, marked INTERIM_RECORD. The ../data/rfc/rfc3588.txt- production of these records is directed by Acct-Interim-Interval as ../data/rfc/rfc3588.txt- well as any re-authentication or re-authorization of the session. The ../data/rfc/rfc3588.txt: Diameter client MUST overwrite any previous interim accounting ../data/rfc/rfc3588.txt- records that are locally stored for delivery, if a new record is ../data/rfc/rfc3588.txt- being generated for the same session. This ensures that only one ../data/rfc/rfc3588.txt- pending interim record can exist on an access device for any given ../data/rfc/rfc3588.txt- session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: A particular value of Accounting-Sub-Session-Id MUST appear only in ../data/rfc/rfc3588.txt: one sequence of accounting records from a DIAMETER client, except for ../data/rfc/rfc3588.txt- the purposes of retransmission. The one sequence that is sent MUST ../data/rfc/rfc3588.txt: be either one record with Accounting-Record-Type AVP set to the value ../data/rfc/rfc3588.txt- EVENT_RECORD, or several records starting with one having the value ../data/rfc/rfc3588.txt- START_RECORD, followed by zero or more INTERIM_RECORD and a single ../data/rfc/rfc3588.txt- STOP_RECORD. A particular Diameter application specification MUST ../data/rfc/rfc3588.txt- define the type of sequences that MUST be used. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.6. Correlation of Accounting Records ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Diameter protocol's Session-Id AVP, which is globally unique (see ../data/rfc/rfc3588.txt- Section 8.8), is used during the authorization phase to identify a ../data/rfc/rfc3588.txt- particular session. Services that do not require any authorization ../data/rfc/rfc3588.txt: still use the Session-Id AVP to identify sessions. Accounting ../data/rfc/rfc3588.txt- messages MAY use a different Session-Id from that sent in ../data/rfc/rfc3588.txt- authorization messages. Specific applications MAY require different ../data/rfc/rfc3588.txt: a Session-ID for accounting messages. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- However, there are certain applications that require multiple ../data/rfc/rfc3588.txt: accounting sub-sessions. Such applications would send messages with ../data/rfc/rfc3588.txt: a constant Session-Id AVP, but a different Accounting-Sub-Session-Id ../data/rfc/rfc3588.txt- AVP. In these cases, correlation is performed using the Session-Id. ../data/rfc/rfc3588.txt- It is important to note that receiving a STOP_RECORD with no ../data/rfc/rfc3588.txt: Accounting-Sub-Session-Id AVP when sub-sessions were originally used ../data/rfc/rfc3588.txt- in the START_RECORD messages implies that all sub-sessions are ../data/rfc/rfc3588.txt- terminated. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Furthermore, there are certain applications where a user receives ../data/rfc/rfc3588.txt- service from different access devices (e.g., Mobile IPv4), each with -- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- determines that a request is for an existing session SHOULD include ../data/rfc/rfc3588.txt- the Acct-Multi-Session-Id AVP, which the access device MUST include ../data/rfc/rfc3588.txt: in all subsequent accounting messages. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Acct-Multi-Session-Id AVP MAY include the value of the original ../data/rfc/rfc3588.txt- Session-Id. It's contents are implementation specific, but MUST be ../data/rfc/rfc3588.txt- globally unique across other Acct-Multi-Session-Id, and MUST NOT ../data/rfc/rfc3588.txt- change during the life of a session. -- ../data/rfc/rfc3588.txt- session that is being accounted, and MAY define the concept of a ../data/rfc/rfc3588.txt- multi-session. For instance, the NASREQ DIAMETER application treats ../data/rfc/rfc3588.txt- a single PPP connection to a Network Access Server as one session, ../data/rfc/rfc3588.txt- and a set of Multilink PPP sessions as one multi-session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.7. Accounting Command-Codes ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- This section defines Command-Code values that MUST be supported by ../data/rfc/rfc3588.txt: all Diameter implementations that provide Accounting services. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.7.1. Accounting-Request ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Request (ACR) command, indicated by the Command-Code ../data/rfc/rfc3588.txt- field set to 271 and the Command Flags' 'R' bit set, is sent by a ../data/rfc/rfc3588.txt: Diameter node, acting as a client, in order to exchange accounting ../data/rfc/rfc3588.txt- information with a peer. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs ../data/rfc/rfc3588.txt- MUST be present. If the Vendor-Specific-Application-Id grouped AVP ../data/rfc/rfc3588.txt- is present, it must have an Acct-Application-Id inside. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The AVP listed below SHOULD include service specific accounting AVPs, ../data/rfc/rfc3588.txt- as described in Section 9.3. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- <ACR> ::= < Diameter Header: 271, REQ, PXY > ../data/rfc/rfc3588.txt- < Session-Id > ../data/rfc/rfc3588.txt- { Origin-Host } ../data/rfc/rfc3588.txt- { Origin-Realm } ../data/rfc/rfc3588.txt- { Destination-Realm } ../data/rfc/rfc3588.txt: { Accounting-Record-Type } ../data/rfc/rfc3588.txt: { Accounting-Record-Number } ../data/rfc/rfc3588.txt- [ Acct-Application-Id ] ../data/rfc/rfc3588.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc3588.txt- [ User-Name ] ../data/rfc/rfc3588.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc3588.txt- [ Acct-Session-Id ] ../data/rfc/rfc3588.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc3588.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc3588.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc3588.txt- [ Origin-State-Id ] ../data/rfc/rfc3588.txt- [ Event-Timestamp ] ../data/rfc/rfc3588.txt- * [ Proxy-Info ] ../data/rfc/rfc3588.txt- * [ Route-Record ] ../data/rfc/rfc3588.txt- * [ AVP ] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.7.2. Accounting-Answer ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Answer (ACA) command, indicated by the Command-Code ../data/rfc/rfc3588.txt- field set to 271 and the Command Flags' 'R' bit cleared, is used to ../data/rfc/rfc3588.txt: acknowledge an Accounting-Request command. The Accounting-Answer ../data/rfc/rfc3588.txt- command contains the same Session-Id and includes the usage AVPs only ../data/rfc/rfc3588.txt- if CMS is in use when sending this command. Note that the inclusion ../data/rfc/rfc3588.txt- of the usage AVPs when CMS is not being used leads to unnecessarily ../data/rfc/rfc3588.txt- large answer messages, and can not be used as a server's proof of the ../data/rfc/rfc3588.txt: receipt of these AVPs in an end-to-end fashion. If the Accounting- ../data/rfc/rfc3588.txt- Request was protected by end-to-end security, then the corresponding ../data/rfc/rfc3588.txt- ACA message MUST be protected by end-to-end security. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Only the target Diameter Server, known as the home Diameter Server, ../data/rfc/rfc3588.txt: SHOULD respond with the Accounting-Answer command. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs ../data/rfc/rfc3588.txt- MUST be present. If the Vendor-Specific-Application-Id grouped AVP ../data/rfc/rfc3588.txt- is present, it must have an Acct-Application-Id inside. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The AVP listed below SHOULD include service specific accounting AVPs, ../data/rfc/rfc3588.txt- as described in Section 9.3. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- <ACA> ::= < Diameter Header: 271, PXY > ../data/rfc/rfc3588.txt- < Session-Id > ../data/rfc/rfc3588.txt- { Result-Code } ../data/rfc/rfc3588.txt- { Origin-Host } ../data/rfc/rfc3588.txt- { Origin-Realm } ../data/rfc/rfc3588.txt: { Accounting-Record-Type } ../data/rfc/rfc3588.txt: { Accounting-Record-Number } ../data/rfc/rfc3588.txt- [ Acct-Application-Id ] ../data/rfc/rfc3588.txt- [ Vendor-Specific-Application-Id ] ../data/rfc/rfc3588.txt- [ User-Name ] ../data/rfc/rfc3588.txt: [ Accounting-Sub-Session-Id ] ../data/rfc/rfc3588.txt- [ Acct-Session-Id ] ../data/rfc/rfc3588.txt- [ Acct-Multi-Session-Id ] ../data/rfc/rfc3588.txt- [ Error-Reporting-Host ] ../data/rfc/rfc3588.txt- [ Acct-Interim-Interval ] ../data/rfc/rfc3588.txt: [ Accounting-Realtime-Required ] ../data/rfc/rfc3588.txt- [ Origin-State-Id ] ../data/rfc/rfc3588.txt- [ Event-Timestamp ] ../data/rfc/rfc3588.txt- * [ Proxy-Info ] ../data/rfc/rfc3588.txt- * [ AVP ] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.8. Accounting AVPs ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: This section contains AVPs that describe accounting usage information ../data/rfc/rfc3588.txt- related to a specific session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.8.1. Accounting-Record-Type AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Record-Type AVP (AVP Code 480) is of type Enumerated ../data/rfc/rfc3588.txt: and contains the type of accounting record being sent. The following ../data/rfc/rfc3588.txt: values are currently defined for the Accounting-Record-Type AVP: ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- EVENT_RECORD 1 ../data/rfc/rfc3588.txt: An Accounting Event Record is used to indicate that a one-time ../data/rfc/rfc3588.txt- event has occurred (meaning that the start and end of the event ../data/rfc/rfc3588.txt- are simultaneous). This record contains all information relevant ../data/rfc/rfc3588.txt- to the service, and is the only record of the service. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- START_RECORD 2 ../data/rfc/rfc3588.txt: An Accounting Start, Interim, and Stop Records are used to ../data/rfc/rfc3588.txt- indicate that a service of a measurable length has been given. An ../data/rfc/rfc3588.txt: Accounting Start Record is used to initiate an accounting session, ../data/rfc/rfc3588.txt: and contains accounting information that is relevant to the ../data/rfc/rfc3588.txt- initiation of the session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- INTERIM_RECORD 3 ../data/rfc/rfc3588.txt: An Interim Accounting Record contains cumulative accounting ../data/rfc/rfc3588.txt: information for an existing accounting session. Interim ../data/rfc/rfc3588.txt: Accounting Records SHOULD be sent every time a re-authentication ../data/rfc/rfc3588.txt- or re-authorization occurs. Further, additional interim record ../data/rfc/rfc3588.txt- triggers MAY be defined by application-specific Diameter ../data/rfc/rfc3588.txt- applications. The selection of whether to use INTERIM_RECORD ../data/rfc/rfc3588.txt- records is done by the Acct-Interim-Interval AVP. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- STOP_RECORD 4 ../data/rfc/rfc3588.txt: An Accounting Stop Record is sent to terminate an accounting ../data/rfc/rfc3588.txt: session and contains cumulative accounting information relevant to ../data/rfc/rfc3588.txt- the existing session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.8.2. Acct-Interim-Interval ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Acct-Interim-Interval AVP (AVP Code 85) is of type Unsigned32 and ../data/rfc/rfc3588.txt- is sent from the Diameter home authorization server to the Diameter ../data/rfc/rfc3588.txt- client. The client uses information in this AVP to decide how and ../data/rfc/rfc3588.txt: when to produce accounting records. With different values in this ../data/rfc/rfc3588.txt: AVP, service sessions can result in one, two, or two+N accounting ../data/rfc/rfc3588.txt- records, based on the needs of the home-organization. The following ../data/rfc/rfc3588.txt: accounting record production behavior is directed by the inclusion of ../data/rfc/rfc3588.txt- this AVP: ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- 1. The omission of the Acct-Interim-Interval AVP or its inclusion ../data/rfc/rfc3588.txt- with Value field set to 0 means that EVENT_RECORD, START_RECORD, ../data/rfc/rfc3588.txt- and STOP_RECORD are produced, as appropriate for the service. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- 2. The inclusion of the AVP with Value field set to a non-zero value ../data/rfc/rfc3588.txt- means that INTERIM_RECORD records MUST be produced between the ../data/rfc/rfc3588.txt- START_RECORD and STOP_RECORD records. The Value field of this AVP ../data/rfc/rfc3588.txt- is the nominal interval between these records in seconds. The ../data/rfc/rfc3588.txt: Diameter node that originates the accounting information, known as ../data/rfc/rfc3588.txt- the client, MUST produce the first INTERIM_RECORD record roughly ../data/rfc/rfc3588.txt- at the time when this nominal interval has elapsed from the ../data/rfc/rfc3588.txt- START_RECORD, the next one again as the interval has elapsed once ../data/rfc/rfc3588.txt- more, and so on until the session ends and a STOP_RECORD record is ../data/rfc/rfc3588.txt- produced. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The client MUST ensure that the interim record production times ../data/rfc/rfc3588.txt: are randomized so that large accounting message storms are not ../data/rfc/rfc3588.txt- created either among records or around a common service start ../data/rfc/rfc3588.txt- time. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 122] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.8.3. Accounting-Record-Number AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Record-Number AVP (AVP Code 485) is of type Unsigned32 ../data/rfc/rfc3588.txt- and identifies this record within one session. As Session-Id AVPs ../data/rfc/rfc3588.txt: are globally unique, the combination of Session-Id and Accounting- ../data/rfc/rfc3588.txt- Record-Number AVPs is also globally unique, and can be used in ../data/rfc/rfc3588.txt: matching accounting records with confirmations. An easy way to ../data/rfc/rfc3588.txt- produce unique numbers is to set the value to 0 for records of type ../data/rfc/rfc3588.txt- EVENT_RECORD and START_RECORD, and set the value to 1 for the first ../data/rfc/rfc3588.txt- INTERIM_RECORD, 2 for the second, and so on until the value for ../data/rfc/rfc3588.txt- STOP_RECORD is one more than for the last INTERIM_RECORD. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-9.8.5. Acct-Multi-Session-Id AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The Acct-Multi-Session-Id AVP (AVP Code 50) is of type UTF8String, ../data/rfc/rfc3588.txt- following the format specified in Section 8.8. The Acct-Multi- ../data/rfc/rfc3588.txt: Session-Id AVP is used to link together multiple related accounting ../data/rfc/rfc3588.txt- sessions, where each session would have a unique Session-Id, but the ../data/rfc/rfc3588.txt- same Acct-Multi-Session-Id AVP. This AVP MAY be returned by the ../data/rfc/rfc3588.txt- Diameter server in an authorization answer, and MUST be used in all ../data/rfc/rfc3588.txt: accounting messages for the given session. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.8.6. Accounting-Sub-Session-Id AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Sub-Session-Id AVP (AVP Code 287) is of type ../data/rfc/rfc3588.txt: Unsigned64 and contains the accounting sub-session identifier. The ../data/rfc/rfc3588.txt- combination of the Session-Id and this AVP MUST be unique per sub- ../data/rfc/rfc3588.txt- session, and the value of this AVP MUST be monotonically increased by ../data/rfc/rfc3588.txt- one for all new sub-sessions. The absence of this AVP implies no ../data/rfc/rfc3588.txt: sub-sessions are in use, with the exception of an Accounting-Request ../data/rfc/rfc3588.txt: whose Accounting-Record-Type is set to STOP_RECORD. A STOP_RECORD ../data/rfc/rfc3588.txt: message with no Accounting-Sub-Session-Id AVP present will signal the ../data/rfc/rfc3588.txt- termination of all sub-sessions for a given Session-Id. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:9.8.7. Accounting-Realtime-Required AVP ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The Accounting-Realtime-Required AVP (AVP Code 483) is of type ../data/rfc/rfc3588.txt- Enumerated and is sent from the Diameter home authorization server to ../data/rfc/rfc3588.txt: the Diameter client or in the Accounting-Answer from the accounting ../data/rfc/rfc3588.txt- server. The client uses information in this AVP to decide what to do ../data/rfc/rfc3588.txt: if the sending of accounting records to the accounting server has ../data/rfc/rfc3588.txt- been temporarily prevented due to, for instance, a network problem. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 123] -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- DELIVER_AND_GRANT 1 ../data/rfc/rfc3588.txt- The AVP with Value field set to DELIVER_AND_GRANT means that the ../data/rfc/rfc3588.txt- service MUST only be granted as long as there is a connection to ../data/rfc/rfc3588.txt: an accounting server. Note that the set of alternative accounting ../data/rfc/rfc3588.txt- servers are treated as one server in this sense. Having to move ../data/rfc/rfc3588.txt: the accounting record stream to a backup server is not a reason to ../data/rfc/rfc3588.txt- discontinue the service to the user. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- GRANT_AND_STORE 2 ../data/rfc/rfc3588.txt- The AVP with Value field set to GRANT_AND_STORE means that service ../data/rfc/rfc3588.txt- SHOULD be granted if there is a connection, or as long as records -- ../data/rfc/rfc3588.txt- 1+ At least one instance of the AVP MUST be present in the ../data/rfc/rfc3588.txt- message. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-10.1. Base Protocol Command AVP Table ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: The table in this section is limited to the non-accounting Command ../data/rfc/rfc3588.txt- Codes defined in this specification. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- +---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc3588.txt- Attribute Name |CER|CEA|DPR|DPA|DWR|DWA|RAR|RAA|ASR|ASA|STR|STA| ../data/rfc/rfc3588.txt- --------------------+---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc3588.txt- Acct-Interim- |0 |0 |0 |0 |0 |0 |0-1|0 |0 |0 |0 |0 | ../data/rfc/rfc3588.txt- Interval | | | | | | | | | | | | | ../data/rfc/rfc3588.txt: Accounting-Realtime-|0 |0 |0 |0 |0 |0 |0-1|0 |0 |0 |0 |0 | ../data/rfc/rfc3588.txt- Required | | | | | | | | | | | | | ../data/rfc/rfc3588.txt- Acct-Application-Id |0+ |0+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc3588.txt- Auth-Application-Id |0+ |0+ |0 |0 |0 |0 |1 |0 |1 |0 |1 |0 | ../data/rfc/rfc3588.txt- Auth-Grace-Period |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc3588.txt- Auth-Request-Type |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Vendor-Specific- |0+ |0+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 | ../data/rfc/rfc3588.txt- Application-Id | | | | | | | | | | | | | ../data/rfc/rfc3588.txt- --------------------+---+---+---+---+---+---+---+---+---+---+---+---+ ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:10.2. Accounting AVP Table ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The table in this section is used to represent which AVPs defined in ../data/rfc/rfc3588.txt: this document are to be present in the Accounting messages. These ../data/rfc/rfc3588.txt- AVP occurrence requirements are guidelines, which may be expanded, ../data/rfc/rfc3588.txt- and/or overridden by application-specific requirements in the ../data/rfc/rfc3588.txt- Diameter applications documents. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- +-----------+ -- ../data/rfc/rfc3588.txt- +-----+-----+ ../data/rfc/rfc3588.txt- Attribute Name | ACR | ACA | ../data/rfc/rfc3588.txt- ------------------------------+-----+-----+ ../data/rfc/rfc3588.txt- Acct-Interim-Interval | 0-1 | 0-1 | ../data/rfc/rfc3588.txt- Acct-Multi-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc3588.txt: Accounting-Record-Number | 1 | 1 | ../data/rfc/rfc3588.txt: Accounting-Record-Type | 1 | 1 | ../data/rfc/rfc3588.txt- Acct-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc3588.txt: Accounting-Sub-Session-Id | 0-1 | 0-1 | ../data/rfc/rfc3588.txt: Accounting-Realtime-Required | 0-1 | 0-1 | ../data/rfc/rfc3588.txt- Acct-Application-Id | 0-1 | 0-1 | ../data/rfc/rfc3588.txt- Auth-Application-Id | 0 | 0 | ../data/rfc/rfc3588.txt- Class | 0+ | 0+ | ../data/rfc/rfc3588.txt- Destination-Host | 0-1 | 0 | ../data/rfc/rfc3588.txt- Destination-Realm | 1 | 0 | -- ../data/rfc/rfc3588.txt- This section explains the criteria to be used by the IANA for ../data/rfc/rfc3588.txt- assignment of numbers within namespaces defined within this document. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter is not intended as a general purpose protocol, and ../data/rfc/rfc3588.txt- allocations SHOULD NOT be made for purposes unrelated to ../data/rfc/rfc3588.txt: authentication, authorization or accounting. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- For registration requests where a Designated Expert should be ../data/rfc/rfc3588.txt- consulted, the responsible IESG area director should appoint the ../data/rfc/rfc3588.txt- Designated Expert. For Designated Expert with Specification ../data/rfc/rfc3588.txt- Required, the request is posted to the AAA WG mailing list (or, if it -- ../data/rfc/rfc3588.txt- following values are allocated. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Diameter Common Messages 0 ../data/rfc/rfc3588.txt- NASREQ 1 [NASREQ] ../data/rfc/rfc3588.txt- Mobile-IP 2 [DIAMMIP] ../data/rfc/rfc3588.txt: Diameter Base Accounting 3 ../data/rfc/rfc3588.txt- Relay 0xffffffff ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Assignment of standards-track application IDs are by Designated ../data/rfc/rfc3588.txt- Expert with Specification Required [IANA]. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-Calhoun, et al. Standards Track [Page 129] ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:11.4.2. Accounting-Record-Type AVP Values ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: As defined in Section 9.8.1, the Accounting-Record-Type AVP (AVP Code ../data/rfc/rfc3588.txt- 480) defines the values 1-4. All remaining values are available for ../data/rfc/rfc3588.txt- assignment via IETF Consensus [IANA]. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-11.4.3. Termination-Cause AVP Values ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- As defined in Section 8.12, the Re-Auth-Request-Type AVP (AVP Code ../data/rfc/rfc3588.txt- 285) defines the values 0-1. All remaining values are available for ../data/rfc/rfc3588.txt- assignment via IETF Consensus [IANA]. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt:11.4.11. Accounting-Realtime-Required AVP Values ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: As defined in Section 9.8.7, the Accounting-Realtime-Required AVP ../data/rfc/rfc3588.txt- (AVP Code 483) defines the values 1-3. All remaining values are ../data/rfc/rfc3588.txt- available for assignment via IETF Consensus [IANA]. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-11.4.12. Inband-Security-Id AVP (code 299) ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt-14. References ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-14.1. Normative References ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [AAATRANS] Aboba, B. and J. Wood, "Authentication, Authorization ../data/rfc/rfc3588.txt: and Accounting (AAA) Transport Profile", RFC 3539, ../data/rfc/rfc3588.txt- June 2003. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax ../data/rfc/rfc3588.txt- Specifications: ABNF", RFC 2234, November 1997. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- R., Xu, Y., Campbell, E., Baba, S. and E. Jaques, ../data/rfc/rfc3588.txt- "Criteria for Evaluating AAA Protocols for Network ../data/rfc/rfc3588.txt- Access", RFC 2989, November 2000. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [ACCMGMT] Aboba, B., Arkko, J. and D. Harrington. "Introduction ../data/rfc/rfc3588.txt: to Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [CDMA2000] Hiller, T., Walsh, P., Chen, X., Munson, M., Dommety, ../data/rfc/rfc3588.txt- G., Sivalingham, S., Lim, B., McCann, P., Shiino, H., ../data/rfc/rfc3588.txt- Hirschman, B., Manning, S., Hsu, R., Koo, H., Lipford, ../data/rfc/rfc3588.txt- M., Calhoun, P., Lo, C., Jaques, E., Campbell, E., Xu, -- ../data/rfc/rfc3588.txt- [MIPV4] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, ../data/rfc/rfc3588.txt- August 2002. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [MIPREQ] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, ../data/rfc/rfc3588.txt- "Mobile IP Authentication, Authorization, and ../data/rfc/rfc3588.txt: Accounting Requirements", RFC 2977, October 2000. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [NASNG] Mitton, D. and M. Beadles, "Network Access Server ../data/rfc/rfc3588.txt- Requirements Next Generation (NASREQNG) NAS Model", ../data/rfc/rfc3588.txt- RFC 2881, July 2000. ../data/rfc/rfc3588.txt- -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [PROXYCHAIN] Aboba, B. and J. Vollbrecht, "Proxy Chaining and ../data/rfc/rfc3588.txt- Policy Implementation in Roaming", RFC 2607, June ../data/rfc/rfc3588.txt- 1999. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: [RADACCT] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [RADEXT] Rigney, C., Willats, W. and P. Calhoun, "RADIUS ../data/rfc/rfc3588.txt- Extensions", RFC 2869, June 2000. ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- [RADIUS] Rigney, C., Willens, S., Rubens, A. and W. Simpson, -- ../data/rfc/rfc3588.txt- The following service template describes the attributes used by ../data/rfc/rfc3588.txt- Diameter servers to advertise themselves. This simplifies the ../data/rfc/rfc3588.txt- process of selecting an appropriate server to communicate with. A ../data/rfc/rfc3588.txt- Diameter client can request specific Diameter servers based on ../data/rfc/rfc3588.txt- characteristics of the Diameter service desired (for example, an AAA ../data/rfc/rfc3588.txt: server to use for accounting.) ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Name of submitter: "Erik Guttman" <Erik.Guttman@sun.com> Language of ../data/rfc/rfc3588.txt- service template: en ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- Security Considerations: -- ../data/rfc/rfc3588.txt-RFC 3588 Diameter Based Protocol September 2003 ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt-Appendix C. Duplicate Detection ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: As described in Section 9.4, accounting record duplicate detection is ../data/rfc/rfc3588.txt- based on session identifiers. Duplicates can appear for various ../data/rfc/rfc3588.txt- reasons: ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- - Failover to an alternate server. Where close to real-time ../data/rfc/rfc3588.txt- performance is required, failover thresholds need to be kept low -- ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt- The T flag is used as an indication of an application layer ../data/rfc/rfc3588.txt- retransmission event, e.g., due to failover to an alternate server. ../data/rfc/rfc3588.txt- It is defined only for request messages sent by Diameter clients or ../data/rfc/rfc3588.txt- agents. For instance, after a reboot, a client may not know whether ../data/rfc/rfc3588.txt: it has already tried to send the accounting records in its non- ../data/rfc/rfc3588.txt- volatile memory before the reboot occurred. Diameter servers MAY use ../data/rfc/rfc3588.txt- the T flag as an aid when processing requests and detecting duplicate ../data/rfc/rfc3588.txt- messages. However, servers that do this MUST ensure that duplicates ../data/rfc/rfc3588.txt- are found even when the first transmitted request arrives at the ../data/rfc/rfc3588.txt- server after the retransmitted request. It can be used only in cases -- ../data/rfc/rfc3588.txt- the request is sent again, (e.g., due to a failover to an alternate ../data/rfc/rfc3588.txt- peer, due to a recovered primary peer or due to a client re-sending a ../data/rfc/rfc3588.txt- stored record from non-volatile memory such as after reboot of a ../data/rfc/rfc3588.txt- client or agent). ../data/rfc/rfc3588.txt- ../data/rfc/rfc3588.txt: In some cases the Diameter accounting server can delay the duplicate ../data/rfc/rfc3588.txt: detection and accounting record processing until a post-processing ../data/rfc/rfc3588.txt- phase takes place. At that time records are likely to be sorted ../data/rfc/rfc3588.txt- according to the included User-Name and duplicate elimination is easy ../data/rfc/rfc3588.txt- in this case. In other situations it may be necessary to perform ../data/rfc/rfc3588.txt- real-time duplicate detection, such as when credit limits are imposed ../data/rfc/rfc3588.txt- or real-time fraud detection is desired. -- ../data/rfc/rfc3588.txt- increases as the failover interval is decreased. In order to be ../data/rfc/rfc3588.txt- able to detect out of order duplicates, the Diameter server should ../data/rfc/rfc3588.txt- use backward and forward time windows when performing duplicate ../data/rfc/rfc3588.txt- checking for the T flag marked request. For example, in order to ../data/rfc/rfc3588.txt- allow time for the original record to exit the network and be ../data/rfc/rfc3588.txt: recorded by the accounting server, the Diameter server can delay ../data/rfc/rfc3588.txt- processing records with the T flag set until a time period ../data/rfc/rfc3588.txt- TIME_WAIT + RECORD_PROCESSING_TIME has elapsed after the closing ../data/rfc/rfc3588.txt- of the original transport connection. After this time period has ../data/rfc/rfc3588.txt- expired, then it may check the T flag marked records against the ../data/rfc/rfc3588.txt- database with relative assurance that the original records, if -- ../data/rfc/rfc4671.txt-Request for Comments: 4671 Enterasys Networks ../data/rfc/rfc4671.txt-Obsoletes: 2621 August 2006 ../data/rfc/rfc4671.txt-Category: Informational ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: RADIUS Accounting Server MIB for IPv6 ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Status of This Memo ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc4671.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc4671.txt- Copyright (C) The Internet Society (2006). ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Abstract ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This memo defines a set of extensions that instrument RADIUS ../data/rfc/rfc4671.txt: accounting server functions. These extensions represent a portion of ../data/rfc/rfc4671.txt- the Management Information Base (MIB) for use with network management ../data/rfc/rfc4671.txt- protocols in the Internet community. Using these extensions, ../data/rfc/rfc4671.txt: IP-based management stations can manage RADIUS accounting servers. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This memo obsoletes RFC 2621 by deprecating the MIB table containing ../data/rfc/rfc4671.txt- IPv4-only address formats and defining a new table to add support for ../data/rfc/rfc4671.txt- version-neutral IP address formats. The remaining MIB objects from ../data/rfc/rfc4671.txt- RFC 2621 are carried forward into this document. This memo also adds -- ../data/rfc/rfc4671.txt-1. Introduction ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc4671.txt- for use with network management protocols in the Internet community. ../data/rfc/rfc4671.txt- The objects defined within this memo relate to the Remote ../data/rfc/rfc4671.txt: Authentication Dial-In User Service (RADIUS) Accounting Server as ../data/rfc/rfc4671.txt- defined in RFC 2866 [RFC2866]. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-2. Terminology ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", -- ../data/rfc/rfc4671.txt- RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 ../data/rfc/rfc4671.txt- [RFC2580]. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-4. Scope of Changes ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server ../data/rfc/rfc4671.txt- MIB, by deprecating the radiusAccClientTable table and adding a new ../data/rfc/rfc4671.txt- table, radiusAccClientExtTable, containing ../data/rfc/rfc4671.txt- radiusAccClientInetAddressType and radiusAccClientInetAddress. The ../data/rfc/rfc4671.txt- purpose of these added MIB objects is to support version-neutral IP ../data/rfc/rfc4671.txt- addressing formats. The existing table containing -- ../data/rfc/rfc4671.txt- changed to "deprecated". The other approach, of having multiple ../data/rfc/rfc4671.txt- similar tables for different IP versions, is strongly discouraged.' ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-5. Structure of the MIB Module ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: The RADIUS accounting protocol, described in RFC 2866 [RFC2866], ../data/rfc/rfc4671.txt- distinguishes between the client function and the server function. ../data/rfc/rfc4671.txt: In RADIUS accounting, clients send Accounting-Requests, and servers ../data/rfc/rfc4671.txt: reply with Accounting-Responses. Typically, Network Access Server ../data/rfc/rfc4671.txt- (NAS) devices implement the client function, and thus would be ../data/rfc/rfc4671.txt: expected to implement the RADIUS accounting client MIB, while RADIUS ../data/rfc/rfc4671.txt: accounting servers implement the server function, and thus would be ../data/rfc/rfc4671.txt: expected to implement the RADIUS accounting server MIB. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: However, it is possible for a RADIUS accounting entity to perform ../data/rfc/rfc4671.txt- both client and server functions. For example, a RADIUS proxy may ../data/rfc/rfc4671.txt: act as a server to one or more RADIUS accounting clients, while ../data/rfc/rfc4671.txt: simultaneously acting as an accounting client to one or more ../data/rfc/rfc4671.txt: accounting servers. In such situations, it is expected that RADIUS ../data/rfc/rfc4671.txt- entities combining client and server functionality will support both ../data/rfc/rfc4671.txt- the client and server MIBs. The server MIB is defined in this ../data/rfc/rfc4671.txt- document, and the client MIB is defined in [RFC4670]. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This MIB module contains thirteen scalars as well as a single table, ../data/rfc/rfc4671.txt: the RADIUS Accounting Client Table, which contains one row for each ../data/rfc/rfc4671.txt: RADIUS accounting client with which the server shares a secret. Each ../data/rfc/rfc4671.txt: entry in the RADIUS Accounting Client Table includes twelve columns ../data/rfc/rfc4671.txt: presenting a view of the activity of the RADIUS accounting server. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- This MIB imports from [RFC2578], [RFC2580], [RFC3411], and [RFC4001]. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- accurately be represented in both the new table and the ../data/rfc/rfc4671.txt- deprecated table. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- Managed entities SHOULD NOT instantiate row entries in the deprecated ../data/rfc/rfc4671.txt- table, containing IPv4-only address objects, when the RADIUS ../data/rfc/rfc4671.txt: accounting client address represented in such a table row is not an ../data/rfc/rfc4671.txt- IPv4 address. Managed entities SHOULD NOT return inaccurate values ../data/rfc/rfc4671.txt- of IP address or SNMP object access errors for IPv4-only address ../data/rfc/rfc4671.txt- objects in otherwise populated tables. When row entries exist in ../data/rfc/rfc4671.txt- both the deprecated IPv4-only table and the new IP-version-neutral ../data/rfc/rfc4671.txt: table that describe the same RADIUS accounting client, the row ../data/rfc/rfc4671.txt- indexes SHOULD be the same for the corresponding rows in each table, ../data/rfc/rfc4671.txt- to facilitate correlation of these related rows by management ../data/rfc/rfc4671.txt- applications. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-7. Definitions -- ../data/rfc/rfc4671.txt- Phone: +1 425 936 6605 ../data/rfc/rfc4671.txt- EMail: bernarda@microsoft.com" ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The MIB module for entities implementing the server ../data/rfc/rfc4671.txt- side of the Remote Authentication Dial-In User ../data/rfc/rfc4671.txt: Service (RADIUS) accounting protocol. Copyright (C) ../data/rfc/rfc4671.txt- The Internet Society (2006). This version of this ../data/rfc/rfc4671.txt- MIB module is part of RFC 4671; see the RFC itself ../data/rfc/rfc4671.txt- for full legal notices." ../data/rfc/rfc4671.txt- REVISION "200608210000Z" -- 21 August 2006 ../data/rfc/rfc4671.txt- DESCRIPTION -- ../data/rfc/rfc4671.txt- and defining a new table to add support for version- ../data/rfc/rfc4671.txt- neutral IP address formats. The remaining MIB objects ../data/rfc/rfc4671.txt- from RFC 2621 are carried forward into this version." ../data/rfc/rfc4671.txt- REVISION "199906110000Z" -- 11 Jun 1999 ../data/rfc/rfc4671.txt- DESCRIPTION "Initial version as published in RFC 2621." ../data/rfc/rfc4671.txt: ::= { radiusAccounting 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusMIB OBJECT-IDENTITY ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The OID assigned to RADIUS MIB work by the IANA." ../data/rfc/rfc4671.txt- ::= { mib-2 67 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServMIBObjects OBJECT IDENTIFIER ../data/rfc/rfc4671.txt- ::= { radiusAccServMIB 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServ OBJECT IDENTIFIER -- ../data/rfc/rfc4671.txt- SYNTAX SnmpAdminString ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The implementation identification string for the ../data/rfc/rfc4671.txt: RADIUS accounting server software in use on the ../data/rfc/rfc4671.txt- system, for example, 'FNS-2.1'." ../data/rfc/rfc4671.txt- ::= {radiusAccServ 1} ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServUpTime OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX TimeTicks -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- "The number of packets received on the ../data/rfc/rfc4671.txt: accounting port." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccServ 5 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalInvalidRequests OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- received from unknown addresses." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 sections 2, 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccServ 6 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalDupRequests OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of duplicate RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets received." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccServ 7 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalResponses OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc4671.txt- sent." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.2" ../data/rfc/rfc4671.txt- ::= { radiusAccServ 8 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalMalformedRequests OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of malformed RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets received. Bad authenticators or unknown ../data/rfc/rfc4671.txt- types are not included as malformed Access-Requests." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that contained an invalid authenticator." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccServ 10 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalPacketsDropped OBJECT-TYPE -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that were received and responded to but not ../data/rfc/rfc4671.txt- recorded." ../data/rfc/rfc4671.txt- ::= { radiusAccServ 12 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServTotalUnknownTypes OBJECT-TYPE -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- SYNTAX SEQUENCE OF RadiusAccClientEntry ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc4671.txt- clients with which the server shares a secret." ../data/rfc/rfc4671.txt- ::= { radiusAccServ 14 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientEntry OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX RadiusAccClientEntry ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc4671.txt: accounting client with which the server shares a ../data/rfc/rfc4671.txt- secret." ../data/rfc/rfc4671.txt- INDEX { radiusAccClientIndex } ../data/rfc/rfc4671.txt- ::= { radiusAccClientTable 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- RadiusAccClientEntry ::= SEQUENCE { -- ../data/rfc/rfc4671.txt- radiusAccClientIndex OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Integer32 (1..2147483647) ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "A number uniquely identifying each RADIUS accounting ../data/rfc/rfc4671.txt- client with which this server communicates." ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientAddress OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX IpAddress ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The NAS-IP-Address of the RADIUS accounting client ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Nelson Informational [Page 10] ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- radiusAccClientID OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX SnmpAdminString ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The NAS-Identifier of the RADIUS accounting client ../data/rfc/rfc4671.txt- referred to in this table entry. This is not ../data/rfc/rfc4671.txt- necessarily the same as sysName in MIB II." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2865 section 5.32" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 3 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The number of packets received from this ../data/rfc/rfc4671.txt: client on the accounting port." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 5 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServDupRequests OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of duplicate RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets received from this client." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 6 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServResponses OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc4671.txt- sent to this client." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.2" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 7 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServBadAuthenticators OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that contained invalid authenticators received ../data/rfc/rfc4671.txt- from this client." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 8 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of malformed RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets that were received from this client. ../data/rfc/rfc4671.txt- Bad authenticators and unknown types ../data/rfc/rfc4671.txt: are not included as malformed Accounting-Requests." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 9 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServNoRecords OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Counter32 -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that were received and responded to but not ../data/rfc/rfc4671.txt- recorded." ../data/rfc/rfc4671.txt- ::= { radiusAccClientEntry 10 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServUnknownTypes OBJECT-TYPE -- ../data/rfc/rfc4671.txt- radiusAccClientExtTable OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX SEQUENCE OF RadiusAccClientExtEntry ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The (conceptual) table listing the RADIUS accounting ../data/rfc/rfc4671.txt- clients with which the server shares a secret." ../data/rfc/rfc4671.txt- ::= { radiusAccServ 15 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientExtEntry OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX RadiusAccClientExtEntry ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "An entry (conceptual row) representing a RADIUS ../data/rfc/rfc4671.txt: accounting client with which the server shares a ../data/rfc/rfc4671.txt- secret." ../data/rfc/rfc4671.txt- INDEX { radiusAccClientExtIndex } ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtTable 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- RadiusAccClientExtEntry ::= SEQUENCE { -- ../data/rfc/rfc4671.txt- radiusAccClientExtIndex OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX Integer32 (1..2147483647) ../data/rfc/rfc4671.txt- MAX-ACCESS not-accessible ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "A number uniquely identifying each RADIUS accounting ../data/rfc/rfc4671.txt- client with which this server communicates." ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientInetAddressType OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX InetAddressType -- ../data/rfc/rfc4671.txt- radiusAccClientInetAddress OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX InetAddress ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The IP address of the RADIUS accounting ../data/rfc/rfc4671.txt- client referred to in this table entry, using ../data/rfc/rfc4671.txt- the IPv6 address format." ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 3 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientExtID OBJECT-TYPE ../data/rfc/rfc4671.txt- SYNTAX SnmpAdminString ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The NAS-Identifier of the RADIUS accounting client ../data/rfc/rfc4671.txt- referred to in this table entry. This is not ../data/rfc/rfc4671.txt- necessarily the same as sysName in MIB II." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2865 section 5.32" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 4 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The number of incoming packets received from this ../data/rfc/rfc4671.txt- client and silently discarded for a reason other ../data/rfc/rfc4671.txt- than malformed, bad authenticators, or unknown types. ../data/rfc/rfc4671.txt- This counter may experience a discontinuity when the ../data/rfc/rfc4671.txt: RADIUS Accounting Server module within the managed ../data/rfc/rfc4671.txt- entity is reinitialized, as indicated by the current ../data/rfc/rfc4671.txt- value of radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 5 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The number of packets received from this ../data/rfc/rfc4671.txt: client on the accounting port. This counter ../data/rfc/rfc4671.txt- may experience a discontinuity when the ../data/rfc/rfc4671.txt: RADIUS Accounting Server module within the ../data/rfc/rfc4671.txt- managed entity is reinitialized, as indicated by ../data/rfc/rfc4671.txt- the current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 6 } -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of duplicate RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets received from this client. This counter ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Nelson Informational [Page 15] ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- may experience a discontinuity when the RADIUS ../data/rfc/rfc4671.txt: Accounting Server module within the managed ../data/rfc/rfc4671.txt- entity is reinitialized, as indicated by the ../data/rfc/rfc4671.txt- current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.1" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 7 } -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Response packets ../data/rfc/rfc4671.txt- sent to this client. This counter may experience ../data/rfc/rfc4671.txt: a discontinuity when the RADIUS Accounting Server ../data/rfc/rfc4671.txt- module within the managed entity is reinitialized, ../data/rfc/rfc4671.txt- as indicated by the current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4.2" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 8 } -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that contained invalid authenticators received ../data/rfc/rfc4671.txt- from this client. This counter may experience a ../data/rfc/rfc4671.txt: discontinuity when the RADIUS Accounting Server ../data/rfc/rfc4671.txt- module within the managed entity is reinitialized, ../data/rfc/rfc4671.txt- as indicated by the current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 9 } -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of malformed RADIUS Accounting-Request ../data/rfc/rfc4671.txt- packets that were received from this client. ../data/rfc/rfc4671.txt- Bad authenticators and unknown types are not ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Nelson Informational [Page 16] ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-RFC 4671 RADIUS Acct Server MIB (IPv6) August 2006 ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: included as malformed Accounting-Requests. This ../data/rfc/rfc4671.txt- counter may experience a discontinuity when the ../data/rfc/rfc4671.txt: RADIUS Accounting Server module within the managed ../data/rfc/rfc4671.txt- entity is reinitialized, as indicated by the current ../data/rfc/rfc4671.txt- value of radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 3" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 10 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- SYNTAX Counter32 ../data/rfc/rfc4671.txt- UNITS "packets" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The number of RADIUS Accounting-Request packets ../data/rfc/rfc4671.txt- that were received and responded to but not ../data/rfc/rfc4671.txt- recorded. This counter may experience a ../data/rfc/rfc4671.txt: discontinuity when the RADIUS Accounting Server ../data/rfc/rfc4671.txt- module within the managed entity is reinitialized, ../data/rfc/rfc4671.txt- as indicated by the current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 11 } ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The number of RADIUS packets of unknown type that ../data/rfc/rfc4671.txt- were received from this client. This counter may ../data/rfc/rfc4671.txt: experience a discontinuity when the RADIUS Accounting ../data/rfc/rfc4671.txt- Server module within the managed entity is ../data/rfc/rfc4671.txt- reinitialized, as indicated by the current value of ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity." ../data/rfc/rfc4671.txt- REFERENCE "RFC 2866 section 4" ../data/rfc/rfc4671.txt- ::= { radiusAccClientExtEntry 12 } -- ../data/rfc/rfc4671.txt- UNITS "centiseconds" ../data/rfc/rfc4671.txt- MAX-ACCESS read-only ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The number of centiseconds since the last ../data/rfc/rfc4671.txt: discontinuity in the RADIUS Accounting Server ../data/rfc/rfc4671.txt- counters. A discontinuity may be the result of ../data/rfc/rfc4671.txt: a reinitialization of the RADIUS Accounting Server ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Nelson Informational [Page 17] ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- -- compliance statements ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The compliance statement for accounting servers ../data/rfc/rfc4671.txt: implementing the RADIUS Accounting Server MIB. ../data/rfc/rfc4671.txt- Implementation of this module is for IPv4-only ../data/rfc/rfc4671.txt- entities, or for backwards compatibility use with ../data/rfc/rfc4671.txt- entities that support both IPv4 and IPv6." ../data/rfc/rfc4671.txt- MODULE -- this module ../data/rfc/rfc4671.txt- MANDATORY-GROUPS { radiusAccServMIBGroup } -- ../data/rfc/rfc4671.txt- ::= { radiusAccServMIBCompliances 1 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccServExtMIBCompliance MODULE-COMPLIANCE ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt: "The compliance statement for accounting ../data/rfc/rfc4671.txt: servers implementing the RADIUS Accounting ../data/rfc/rfc4671.txt- Server IPv6 Extensions MIB. Implementation of ../data/rfc/rfc4671.txt- this module is for entities that support IPv6, ../data/rfc/rfc4671.txt- or support IPv4 and IPv6." ../data/rfc/rfc4671.txt- MODULE -- this module ../data/rfc/rfc4671.txt- MANDATORY-GROUPS { radiusAccServExtMIBGroup } -- ../data/rfc/rfc4671.txt- radiusAccServUnknownTypes ../data/rfc/rfc4671.txt- } ../data/rfc/rfc4671.txt- STATUS deprecated ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The collection of objects providing management of ../data/rfc/rfc4671.txt: a RADIUS Accounting Server." ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-Nelson Informational [Page 19] ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc4671.txt- radiusAccServerCounterDiscontinuity ../data/rfc/rfc4671.txt- } ../data/rfc/rfc4671.txt- STATUS current ../data/rfc/rfc4671.txt- DESCRIPTION ../data/rfc/rfc4671.txt- "The collection of objects providing management of ../data/rfc/rfc4671.txt: a RADIUS Accounting Server." ../data/rfc/rfc4671.txt- ::= { radiusAccServMIBGroups 2 } ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- END ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-8. Security Considerations -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- There are a number of managed objects in this MIB that may contain ../data/rfc/rfc4671.txt- sensitive information. These are: ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientIPAddress ../data/rfc/rfc4671.txt: This can be used to determine the address of the RADIUS accounting ../data/rfc/rfc4671.txt- client with which the server is communicating. This information ../data/rfc/rfc4671.txt: could be useful in mounting an attack on the accounting client. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- radiusAccClientInetAddress ../data/rfc/rfc4671.txt: This can be used to determine the address of the RADIUS accounting ../data/rfc/rfc4671.txt- client with which the server is communicating. This information ../data/rfc/rfc4671.txt: could be useful in mounting an attack on the accounting client. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- It is thus important to control even GET access to these objects and ../data/rfc/rfc4671.txt- possibly to even encrypt the values of these object when sending them ../data/rfc/rfc4671.txt- over the network via SNMP. Not all versions of SNMP provide features ../data/rfc/rfc4671.txt- for such a secure environment. -- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, ../data/rfc/rfc4671.txt- "Conformance Statements for SMIv2", STD 58, RFC 2580, ../data/rfc/rfc4671.txt- April 1999. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An ../data/rfc/rfc4671.txt- Architecture for Describing Simple Network Management ../data/rfc/rfc4671.txt- Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, ../data/rfc/rfc4671.txt- December 2002. -- ../data/rfc/rfc4671.txt- Schoenwaelder, "Textual Conventions for Internet Network ../data/rfc/rfc4671.txt- Addresses", RFC 4001, February 2005. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt-9.2. Informative References ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", ../data/rfc/rfc4671.txt- RFC 2621, June 1999. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, ../data/rfc/rfc4671.txt- "Remote Authentication Dial In User Service (RADIUS)", ../data/rfc/rfc4671.txt- RFC 2865, June 2000. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, ../data/rfc/rfc4671.txt- "Introduction and Applicability Statements for Internet- ../data/rfc/rfc4671.txt- Standard Management Framework", RFC 3410, December 2002. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt: [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC ../data/rfc/rfc4671.txt- 4670, August 2006. ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- ../data/rfc/rfc4671.txt- -- ../data/rfc/rfc5578.txt- session credit calculations. The Credit Scale Factor TLV is optional ../data/rfc/rfc5578.txt- with the PADR and PADS packets. Once the session is established with ../data/rfc/rfc5578.txt- specified scale factors, the scale factors are set for the entire ../data/rfc/rfc5578.txt- session. The scale factor value represents the units that the local ../data/rfc/rfc5578.txt- node grants to the remote node. The remote node is responsible for ../data/rfc/rfc5578.txt: maintaining the credit accounting relative to the data flow back to ../data/rfc/rfc5578.txt- the local node. ../data/rfc/rfc5578.txt- ../data/rfc/rfc5578.txt- The Credit Scale Factor TLV can be used to change from the default ../data/rfc/rfc5578.txt- 64-byte credit unit during the PADR-PADS exchange. The credit scale ../data/rfc/rfc5578.txt- factor value can range from 1 byte to 65535 bytes. A zero value is -- ../data/rfc/rfc5578.txt-4. Credit Flow Considerations ../data/rfc/rfc5578.txt- ../data/rfc/rfc5578.txt- For a given session, credit grants exchanged in the Discovery Stage, ../data/rfc/rfc5578.txt- PADG-PADC, are referred to as out-of-band. Credit grants exchanged ../data/rfc/rfc5578.txt- in the PPP Session Stage are referred to as in-band. Credit ../data/rfc/rfc5578.txt: accounting is only applied to the packets transmitted in the PPP ../data/rfc/rfc5578.txt- Session Stage. ../data/rfc/rfc5578.txt- ../data/rfc/rfc5578.txt- Out-of-band credit management is handled by periodic exchange of the ../data/rfc/rfc5578.txt- PPPoE Active Discovery Session-Grant (PADG) and PPPoE Active ../data/rfc/rfc5578.txt- Discovery Credit Response (PADC) packets. -- ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt-Abstract ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt: This memo proposes an Authentication, Authorization, Accounting (AAA) ../data/rfc/rfc2903.txt- architecture that would incorporate a generic AAA server along with ../data/rfc/rfc2903.txt- an application interface to a set of Application Specific Modules ../data/rfc/rfc2903.txt- that could perform application specific AAA functions. A separation ../data/rfc/rfc2903.txt- of AAA functions required in a multi-domain environment is then ../data/rfc/rfc2903.txt- proposed using a layered protocol abstraction. The long term goal is -- ../data/rfc/rfc2903.txt- generic AAA server and a set of one or more Application Specific ../data/rfc/rfc2903.txt- Modules (ASMs) which can carry out the unique functionality required ../data/rfc/rfc2903.txt- by each application. ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt- Since the data required by each application for authentication, ../data/rfc/rfc2903.txt: authorization, or accounting may have unique structure, the standard ../data/rfc/rfc2903.txt- AAA protocol should allow the encapsulation of opaque units of ../data/rfc/rfc2903.txt- Application Specific Information (ASI). These units would begin with ../data/rfc/rfc2903.txt- a standard header to allow them to be forwarded by the generic ../data/rfc/rfc2903.txt- infrastructure. When delivered to the final destination, an ASI unit ../data/rfc/rfc2903.txt- would be passed by a generic AAA server across its program interface -- ../data/rfc/rfc2903.txt- Application Specific Modules by applying security techniques such as ../data/rfc/rfc2903.txt- public key encryption or digital signatures to the Application ../data/rfc/rfc2903.txt- Specific Information units individually, so that different ../data/rfc/rfc2903.txt- stakeholders in the AAA server network can protect selected ../data/rfc/rfc2903.txt- information units from being deciphered or altered by other ../data/rfc/rfc2903.txt: stakeholders in an authentication, authorization, or accounting ../data/rfc/rfc2903.txt- chain. ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt-2. Generic AAA Architecture ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt- For the long term we envision a generic AAA server which is capable ../data/rfc/rfc2903.txt- of authenticating users, handling authorization requests, and ../data/rfc/rfc2903.txt: collecting accounting data. For a service provider, such a generic ../data/rfc/rfc2903.txt- AAA server would be interfaced to an application specific module ../data/rfc/rfc2903.txt- which manages the resource for which authorization is required. ../data/rfc/rfc2903.txt- Generic AAA components would also be deployed in other administrative ../data/rfc/rfc2903.txt- domains performing authorization functions. ../data/rfc/rfc2903.txt- -- ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt- In each of these cases, the AAA-TSM service layer must synchronize ../data/rfc/rfc2903.txt- the Authorized Session's distributed state across all of those AAA ../data/rfc/rfc2903.txt- Servers which are implementing that specific Authorized Session. ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt: Accounting -- Generate any relevant accounting information regarding ../data/rfc/rfc2903.txt- the authorization decision and the associated Authorized Session ../data/rfc/rfc2903.txt- (if any) that represents the ongoing consumption of those services ../data/rfc/rfc2903.txt- or resources. ../data/rfc/rfc2903.txt- ../data/rfc/rfc2903.txt- The peer AAA servers and their AAA-TSM end points exchange AAA-TSM -- ../data/rfc/rfc477.txt- and back in again, possibly from another site. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- The sequence of events involved in using RJS are as follows. First, ../data/rfc/rfc477.txt- the user logs in, specifying a user name, password, and account ../data/rfc/rfc477.txt- number. In addition to indicating how subsequent use of RJS is to be ../data/rfc/rfc477.txt: billed, this accounting information identifies the owner of a ../data/rfc/rfc477.txt- particular RJE terminal. That is, the association between user name ../data/rfc/rfc477.txt- and HASP virtual RJE terminal is unique, and only one individual is ../data/rfc/rfc477.txt- allowed logged in under a given user name at a time. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- At present, billing within RJS is not implemented, and therefore the -- ../data/rfc/rfc477.txt- In order to simplify specification of job parameters, RJS maintains a ../data/rfc/rfc477.txt- set of accumulators for these parameters. Each accumulator is ../data/rfc/rfc477.txt- initially empty, and may have its contents set or referred to by ../data/rfc/rfc477.txt- various commands. The following parameter accumulators are ../data/rfc/rfc477.txt- maintained for each user (user name, password, and account together ../data/rfc/rfc477.txt: are termed accounting parameters): login accounting parameter (those ../data/rfc/rfc477.txt- specified either in the LOGIN or the USER, PASS, and ACCT commands), ../data/rfc/rfc477.txt: source pathname, print pathname, punch pathname, source accounting ../data/rfc/rfc477.txt: parameter, print accounting parameter, and punch accounting ../data/rfc/rfc477.txt- parameter. In addition, associated with each job are the parameters ../data/rfc/rfc477.txt- source, print, and punch pathname, and source, print, and punch ../data/rfc/rfc477.txt: accounting parameters. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- When the TELNET connections are first opened, RJS sends the user a ../data/rfc/rfc477.txt- herald message of the form '300 UCSB RJS (VER. <date>) TTY ../data/rfc/rfc477.txt- <integer>.', where <date> identifies the current version of RJS, and ../data/rfc/rfc477.txt- <integer> identifies the user's terminal in the sense that each -- ../data/rfc/rfc477.txt- response '504 LOGIN PLEASE.' is displayed if the user is not logged ../data/rfc/rfc477.txt- in. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'USER' ['='] <user name> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Specifies the user's user name for accounting purposes, initiates ../data/rfc/rfc477.txt- login, and initializes the source, print, and punch user name ../data/rfc/rfc477.txt- accumulators to <user name>. To complete login, this command must be ../data/rfc/rfc477.txt- followed by a successful PASS command. The only other command ../data/rfc/rfc477.txt- allowed before the user is logged in is BYE. The response to a ../data/rfc/rfc477.txt- syntactically valid USER command is always '330 ENTER PASSWORD' -- ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- The remaining commands require the user to be logged in. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'REINIT' <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Resets to empty the source, print, and punch accounting parameter, ../data/rfc/rfc477.txt: the source, print, and punch pathname, and the login accounting ../data/rfc/rfc477.txt- parameter accumulators. The response to a REINIT command is always ../data/rfc/rfc477.txt- '204 OK'. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- ('INUSER' _ 'INID') ['='] <user name> <CA> ../data/rfc/rfc477.txt- -- ../data/rfc/rfc477.txt- produced ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'INPUT' <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Creates a job, stores with it the contents of the source, print, and ../data/rfc/rfc477.txt: punch accounting parameter and pathname accumulators, and places it ../data/rfc/rfc477.txt- in a queue within RJS of jobs owned by the user awaiting source file ../data/rfc/rfc477.txt- transfer. When it becomes the first or only job in this queue, the ../data/rfc/rfc477.txt- retrieval of its source file is initiated. A job identifier ../data/rfc/rfc477.txt- ('jobid') is assigned to the job and displayed to the user. The ../data/rfc/rfc477.txt- contents of the source and print pathname accumulators must have been -- ../data/rfc/rfc477.txt- 'STATUS' <jobid> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Causes the status of the job known to RJS as <jobid> to be displayed. ../data/rfc/rfc477.txt- Included in this display are in which stage of RJS processing the job ../data/rfc/rfc477.txt- is ('BEING READ', 'IN EXECUTION', 'BEING PRINTED', 'BEING PUNCHED', ../data/rfc/rfc477.txt: or 'HAS COMPLETED'), the pathname information (accounting parameters, ../data/rfc/rfc477.txt- host name, socket number, attributes, disposition, and filename) for ../data/rfc/rfc477.txt- those files (source, print and punch) that have been supplied for the ../data/rfc/rfc477.txt- job, and if the job has failed at some stage of RJS processing, an ../data/rfc/rfc477.txt- explanation of the failure. The possible responses are '464 JOB ../data/rfc/rfc477.txt- <jobid> NOT FOUND.', and a line with reply code 161 followed by zero -- ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'LOGIN' <user name> <password> <account> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Specifies the UCSB Computer Center user name and account to which the ../data/rfc/rfc477.txt- user's use Of RJS is to be billed, logs the user in, and sets the ../data/rfc/rfc477.txt: source, print, and punch accounting parameter accumulators to <user ../data/rfc/rfc477.txt- name>, <password> and <account>. This command is valid only if the ../data/rfc/rfc477.txt- user is not logged in, and has the same replies as the standard ../data/rfc/rfc477.txt- syntax 'PASS' command. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'DISCONNECT' <CA> -- ../data/rfc/rfc477.txt- The remaining commands require the user to be logged in. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'LOG0UT' <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Logs the user out and terminates billing of subsequent activity over ../data/rfc/rfc477.txt: the TELNET connection to the previously effective accounting ../data/rfc/rfc477.txt- parameters, and performs the effective action of the REINITIALIZE ../data/rfc/rfc477.txt- command. LOGOUT does not close the TELNET connection, nor does it ../data/rfc/rfc477.txt- affect any file transfers in progress for jobs owned by the user. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'REINITIALIZE' <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Resets to empty the following accumulators: source, print and punch ../data/rfc/rfc477.txt: accounting parameter, source, print and punch pathname, and login ../data/rfc/rfc477.txt: accounting parameter. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: 'ACCOUNTING' <account parms> <CA> ../data/rfc/rfc477.txt- <account parms> = '(' <u> ',' <p> ',' <a> ')' ../data/rfc/rfc477.txt- <u> = <user name> _ <null> ../data/rfc/rfc477.txt- <p> = <password> _ <null> ../data/rfc/rfc477.txt- <a> = <account> _ <null> ../data/rfc/rfc477.txt- -- ../data/rfc/rfc477.txt-Krilanovich [Page 11] ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt-RFC 477 Remote Job Service at UCSB 23 May 1973 ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Sets the source, print and punch accounting parameters to <account ../data/rfc/rfc477.txt- parms>. Specification of <null> for any of <u>, <p>, or <a> ../data/rfc/rfc477.txt- indicates use of the contents of the corresponding login accumulator. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'SOURCE' <account parms> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Set the source accounting parameter accumulators to <account parms>. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'PRINT' <account parms> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Sets the print accounting parameter accumulators to <account parms>. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'PUNCH' <account parms> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt: Sets the punch accounting parameter accumulators to <account parms>. ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'SOURCE' <jobid> (<account parms> _ <null>) <pathname> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Sets the source pathname of job <jobid> to <pathname>, and the source ../data/rfc/rfc477.txt: accounting parameters to <account parms>, if specified, or otherwise ../data/rfc/rfc477.txt: to the contents of the source accounting parameter accumulators. If ../data/rfc/rfc477.txt- job <jobid> already exists and its source pathname has not been ../data/rfc/rfc477.txt- specified, the new pathname is stored; if it has been specified, it ../data/rfc/rfc477.txt- is changed unless source file retrieval has already begun. If the ../data/rfc/rfc477.txt- job does not already exist, a new job is created and the pathname ../data/rfc/rfc477.txt- stored. Restrictions are that if a job with a given <jobid> has -- ../data/rfc/rfc477.txt- READ.' ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'PRINT <jobid> (<account parms> _ <null>) <disp> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Sets the print pathname of job <jobid> to <disp>, and the print ../data/rfc/rfc477.txt: accounting parameters to <account parms> if specified, or otherwise ../data/rfc/rfc477.txt: to the contents of the print accounting parameter accumulators. The ../data/rfc/rfc477.txt- PRINT command either creates a new job or modifies an existing one, ../data/rfc/rfc477.txt- as explained under SOURCE, and has the same restrictions and error ../data/rfc/rfc477.txt- messages listed for the SOURCE command, after making the obvious ../data/rfc/rfc477.txt- substitution of 'PRINTED' for 'READ'. The PRINT command is valid ../data/rfc/rfc477.txt- only before print file transfer begins. -- ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- 'PUNCH' <jobid> (<account parms> _ <null>) <disp> <CA> ../data/rfc/rfc477.txt- ../data/rfc/rfc477.txt- Sets the punch pathname of job <jobid> to <disp>, and the punch ../data/rfc/rfc477.txt: accounting parameters to <account parms> if specified, or otherwise ../data/rfc/rfc477.txt: to the contents of the punch accounting parameter accumulators. The ../data/rfc/rfc477.txt- PUNCH command either creates a new job or modifies an existing one, ../data/rfc/rfc477.txt- like the SOURCE and PRINT commands, and has the same restrictions and ../data/rfc/rfc477.txt- error messages listed for the SOURCE command, after making the ../data/rfc/rfc477.txt- substitution of 'PUNCHED' for 'READ'. The PUNCH command is valid ../data/rfc/rfc477.txt- only before punch file transfer begins. -- ../data/rfc/rfc2868.txt- Description ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- This Attribute indicates the tunneling protocol(s) to be used (in ../data/rfc/rfc2868.txt- the case of a tunnel initiator) or the the tunneling protocol in ../data/rfc/rfc2868.txt- use (in the case of a tunnel terminator). It MAY be included in ../data/rfc/rfc2868.txt: Access-Request, Access-Accept and Accounting-Request packets. If ../data/rfc/rfc2868.txt- the Tunnel-Type Attribute is present in an Access-Request packet ../data/rfc/rfc2868.txt- sent from a tunnel initiator, it SHOULD be taken as a hint to the ../data/rfc/rfc2868.txt- RADIUS server as to the tunnelling protocols supported by the ../data/rfc/rfc2868.txt- tunnel end-point; the RADIUS server MAY ignore the hint, however. ../data/rfc/rfc2868.txt- A tunnel initiator is not required to implement any of these -- ../data/rfc/rfc2868.txt- tunnel. It MAY be included in both Access-Request and Access- ../data/rfc/rfc2868.txt- Accept packets to indicate the address from which a new tunnel is ../data/rfc/rfc2868.txt- to be initiated. If the Tunnel-Client-Endpoint Attribute is ../data/rfc/rfc2868.txt- included in an Access-Request packet, the RADIUS server should ../data/rfc/rfc2868.txt- take the value as a hint; the server is not obligated to honor the ../data/rfc/rfc2868.txt: hint, however. This Attribute SHOULD be included in Accounting- ../data/rfc/rfc2868.txt- Request packets which contain Acct-Status-Type attributes with ../data/rfc/rfc2868.txt- values of either Start or Stop, in which case it indicates the ../data/rfc/rfc2868.txt- address from which the tunnel was initiated. This Attribute, ../data/rfc/rfc2868.txt- along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection- ../data/rfc/rfc2868.txt- ID attributes, may be used to provide a globally unique means to ../data/rfc/rfc2868.txt: identify a tunnel for accounting and auditing purposes. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- A summary of the Tunnel-Client-Endpoint Attribute format is shown ../data/rfc/rfc2868.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- 0 1 2 3 -- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- This Attribute indicates the address of the server end of the ../data/rfc/rfc2868.txt- tunnel. The Tunnel-Server-Endpoint Attribute MAY be included (as ../data/rfc/rfc2868.txt- a hint to the RADIUS server) in the Access-Request packet and MUST ../data/rfc/rfc2868.txt- be included in the Access-Accept packet if the initiation of a ../data/rfc/rfc2868.txt: tunnel is desired. It SHOULD be included in Accounting-Request ../data/rfc/rfc2868.txt- packets which contain Acct-Status-Type attributes with values of ../data/rfc/rfc2868.txt- either Start or Stop and which pertain to a tunneled session. ../data/rfc/rfc2868.txt- This Attribute, along with the Tunnel-Client-Endpoint and Acct- ../data/rfc/rfc2868.txt- Tunnel-Connection-ID Attributes [11], may be used to provide a ../data/rfc/rfc2868.txt: globally unique means to identify a tunnel for accounting and ../data/rfc/rfc2868.txt- auditing purposes. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- -- ../data/rfc/rfc2868.txt-Zorn, et al. Informational [Page 9] ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt-RFC 2868 RADIUS Tunnel Authentication Attributes June 2000 ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt: particular interface. It SHOULD be included in Accounting-Request ../data/rfc/rfc2868.txt- packets which contain Acct-Status-Type attributes with values of ../data/rfc/rfc2868.txt- either Start or Stop and which pertain to a tunneled session. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- A summary of the Tunnel-Private-Group-ID Attribute format is shown ../data/rfc/rfc2868.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- This attribute MAY be included in the Access-Accept. The tunnel ../data/rfc/rfc2868.txt- initiator receiving this attribute MAY choose to ignore it and ../data/rfc/rfc2868.txt- assign the session to an arbitrary multiplexed or non-multiplexed ../data/rfc/rfc2868.txt- tunnel between the desired endpoints. This attribute SHOULD also ../data/rfc/rfc2868.txt: be included in Accounting-Request packets which contain Acct- ../data/rfc/rfc2868.txt- Status-Type attributes with values of either Start or Stop and ../data/rfc/rfc2868.txt- which pertain to a tunneled session. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- If a tunnel initiator supports the Tunnel-Assignment-ID Attribute, ../data/rfc/rfc2868.txt- then it should assign a session to a tunnel in the following -- ../data/rfc/rfc2868.txt- during the authentication phase of tunnel establishment. The ../data/rfc/rfc2868.txt- Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the ../data/rfc/rfc2868.txt- RADIUS server) in the Access-Request packet, and MUST be included ../data/rfc/rfc2868.txt- in the Access-Accept packet if an authentication name other than ../data/rfc/rfc2868.txt- the default is desired. This Attribute SHOULD be included in ../data/rfc/rfc2868.txt: Accounting-Request packets which contain Acct-Status-Type ../data/rfc/rfc2868.txt- attributes with values of either Start or Stop and which pertain ../data/rfc/rfc2868.txt- to a tunneled session. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- -- ../data/rfc/rfc2868.txt- during the authentication phase of tunnel establishment. The ../data/rfc/rfc2868.txt- Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the ../data/rfc/rfc2868.txt- RADIUS server) in the Access-Request packet, and MUST be included ../data/rfc/rfc2868.txt- in the Access-Accept packet if an authentication name other than ../data/rfc/rfc2868.txt- the default is desired. This Attribute SHOULD be included in ../data/rfc/rfc2868.txt: Accounting-Request packets which contain Acct-Status-Type ../data/rfc/rfc2868.txt- attributes with values of either Start or Stop and which pertain ../data/rfc/rfc2868.txt- to a tunneled session. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- A summary of the Tunnel-Server-Auth-ID Attribute format is shown ../data/rfc/rfc2868.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc2868.txt- [9] Hanks, S., Li, T., Farinacci, D. and P. Traina, "Generic Routing ../data/rfc/rfc2868.txt- Encapsulation (GRE)", RFC 1701, October 1994. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- [10] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt: [11] Zorn, G. and D. Mitton, "RADIUS Accounting Modifications for ../data/rfc/rfc2868.txt- Tunnel Protocol Support", RFC 2867, June 2000. ../data/rfc/rfc2868.txt- ../data/rfc/rfc2868.txt- [12] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc2868.txt- Authentication Dial in User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2868.txt- 2000. -- ../data/rfc/rfc8309.txt- A service may be limited to simple connectivity (such as IP-based ../data/rfc/rfc8309.txt- Internet access), may be a tunnel (such as a virtual circuit), or ../data/rfc/rfc8309.txt- may involve more complex connectivity (such as in a multisite ../data/rfc/rfc8309.txt- virtual private network). Services may be further enhanced by ../data/rfc/rfc8309.txt- additional functions providing security, load balancing, ../data/rfc/rfc8309.txt: accounting, and so forth. Additionally, services usually include ../data/rfc/rfc8309.txt- guarantees of quality, throughput, and fault reporting. ../data/rfc/rfc8309.txt- ../data/rfc/rfc8309.txt- This document makes a distinction between a service as delivered ../data/rfc/rfc8309.txt- to a customer (that is, the service as discussed on the interface ../data/rfc/rfc8309.txt- between a customer and the network operator) and the service as -- ../data/rfc/rfc8559.txt- 2. Problem Statement ...............................................5 ../data/rfc/rfc8559.txt- 2.1. Typical RADIUS Proxying ....................................5 ../data/rfc/rfc8559.txt- 2.2. CoA Processing .............................................6 ../data/rfc/rfc8559.txt- 2.3. Failure of CoA Proxying ....................................6 ../data/rfc/rfc8559.txt- 3. How to Perform CoA Proxying .....................................7 ../data/rfc/rfc8559.txt: 3.1. Changes to Access-Request and Accounting-Request Packets ...8 ../data/rfc/rfc8559.txt- 3.2. Proxying of CoA-Request and Disconnect-Request Packets .....9 ../data/rfc/rfc8559.txt- 3.3. Reception of CoA-Request and Disconnect-Request Packets ...10 ../data/rfc/rfc8559.txt- 3.4. Operator-NAS-Identifier ...................................11 ../data/rfc/rfc8559.txt- 4. Requirements ...................................................14 ../data/rfc/rfc8559.txt- 4.1. Requirements on Home Servers ..............................14 -- ../data/rfc/rfc8559.txt- methods of proxying CoA packets are possible but are not discussed ../data/rfc/rfc8559.txt- here. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- In order to determine the "next hop" for a packet, the proxying ../data/rfc/rfc8559.txt- server looks up the "realm" portion of the NAI in a logical ../data/rfc/rfc8559.txt: Authentication, Authorization, and Accounting (AAA) routing table, as ../data/rfc/rfc8559.txt- described in Section 3 of [RFC7542]. The entry in that table ../data/rfc/rfc8559.txt- contains information about the next hop to which the packet is sent. ../data/rfc/rfc8559.txt- This information can be IP address, shared secret, certificate, etc. ../data/rfc/rfc8559.txt- The next hop may also be another proxy, or it may be the home server ../data/rfc/rfc8559.txt- for that realm. -- ../data/rfc/rfc8559.txt- sessions. That is, once a response has been sent by the proxy, it ../data/rfc/rfc8559.txt- can discard all information about the request packet, other than what ../data/rfc/rfc8559.txt- is needed for detecting retransmissions as per Section 2.2.2 of ../data/rfc/rfc8559.txt- [RFC5080]. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt: The same method is used to proxy Accounting-Request packets. ../data/rfc/rfc8559.txt: Proxying both Access-Request and Accounting-Request packets allows ../data/rfc/rfc8559.txt- proxies to connect visited networks to home networks for all AAA ../data/rfc/rfc8559.txt- purposes. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt-2.2. CoA Processing ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- the Operator-Name attribute MUST NOT occur more than once in a ../data/rfc/rfc8559.txt- packet. If a packet contains more than one Operator-Name, ../data/rfc/rfc8559.txt- implementations MUST treat the second and subsequent attributes as ../data/rfc/rfc8559.txt- "invalid attributes", as discussed in Section 2.8 of [RFC6929]. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt:3.1. Changes to Access-Request and Accounting-Request Packets ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt: When a visited network proxies an Access-Request or Accounting- ../data/rfc/rfc8559.txt- Request packet outside of its network, a visited network that wishes ../data/rfc/rfc8559.txt- to support realm-based CoA proxying SHOULD include an Operator-Name ../data/rfc/rfc8559.txt- attribute in the packet, as discussed in Section 4.1 of [RFC5580]. ../data/rfc/rfc8559.txt- The contents of the Operator-Name attribute should be "1", followed ../data/rfc/rfc8559.txt- by the realm name of the visited network. Where the visited network ../data/rfc/rfc8559.txt- has more than one realm name, a "canonical" name SHOULD be chosen and ../data/rfc/rfc8559.txt- used for all packets. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- Visited networks MUST use a consistent value for Operator-Name for ../data/rfc/rfc8559.txt- any one user session. That is, sending "1example.com" in an ../data/rfc/rfc8559.txt: Access-Request packet and "1example.org" in an Accounting-Request ../data/rfc/rfc8559.txt- packet for that same session is forbidden. Such behavior would make ../data/rfc/rfc8559.txt- it look like a single user session was active simultaneously in two ../data/rfc/rfc8559.txt- different visited networks, which is impossible. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- Proxies that record user session information SHOULD also record -- ../data/rfc/rfc8559.txt- Identification Mismatch"). ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- All other received packets are processed as per local site rules and ../data/rfc/rfc8559.txt- will result in an appropriate response packet being sent. This ../data/rfc/rfc8559.txt- process mirrors the method used to process Access-Request and ../data/rfc/rfc8559.txt: Accounting-Request packets (described above). ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt-3.4. Operator-NAS-Identifier ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- The Operator-NAS-Identifier attribute is an opaque token that ../data/rfc/rfc8559.txt- identifies an individual NAS in a visited network. It MAY appear in ../data/rfc/rfc8559.txt: the following packets: Access-Request, Accounting-Request, ../data/rfc/rfc8559.txt- CoA-Request, or Disconnect-Request. Operator-NAS-Identifier MUST NOT ../data/rfc/rfc8559.txt- appear in any other packets. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- Operator-NAS-Identifier MAY occur in a packet if the packet also ../data/rfc/rfc8559.txt- contains an Operator-Name attribute. Operator-NAS-Identifier -- ../data/rfc/rfc8559.txt- packet. If a packet contains more than one Operator-NAS-Identifier, ../data/rfc/rfc8559.txt- implementations MUST treat the second and subsequent attributes as ../data/rfc/rfc8559.txt- "invalid attributes", as discussed in Section 2.8 of [RFC6929]. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- An Operator-NAS-Identifier attribute SHOULD be added to an ../data/rfc/rfc8559.txt: Access-Request or Accounting-Request packet by a visited network, ../data/rfc/rfc8559.txt- before proxying a packet to an external RADIUS server. When the ../data/rfc/rfc8559.txt- Operator-NAS-Identifier attribute is added to a packet, the following ../data/rfc/rfc8559.txt- attributes SHOULD be deleted from the packet: NAS-IP-Address, ../data/rfc/rfc8559.txt- NAS-IPv6-Address, and NAS-Identifier. If these attributes are ../data/rfc/rfc8559.txt- deleted, the proxy MUST then add a new NAS-Identifier attribute, -- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- Note that there is no requirement that the value of Operator-NAS- ../data/rfc/rfc8559.txt- Identifier be checked for integrity. Modification of the value ../data/rfc/rfc8559.txt- can only result in the erroneous transaction being rejected. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt: We note that the Access-Request and Accounting-Request packets ../data/rfc/rfc8559.txt- often contain the Media Access Control (MAC) address of the NAS. ../data/rfc/rfc8559.txt- There is therefore no requirement that Operator-NAS-Identifier ../data/rfc/rfc8559.txt- obfuscate or hide in any way the total number of NASes in a ../data/rfc/rfc8559.txt- visited network. That information is already public knowledge. ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- NAK packet that contains an Error-Cause Attribute having value 503 ../data/rfc/rfc8559.txt- ("Session Context Not Found"). These checks cannot be mandated due ../data/rfc/rfc8559.txt- to the fact that [RFC5176] offers no advice on which attributes are ../data/rfc/rfc8559.txt- used to identify a user's session. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt: Because a RADIUS proxy will see Access-Request and Accounting-Request ../data/rfc/rfc8559.txt- packets, we recognize that it will have sufficient information to ../data/rfc/rfc8559.txt- forge CoA packets. The RADIUS proxy will thus have the ability to ../data/rfc/rfc8559.txt- subsequently disconnect any user who was authenticated through ../data/rfc/rfc8559.txt- itself. ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- The biggest problem is that there are no provisions in RADIUS for ../data/rfc/rfc8559.txt- "end-to-end" security. That is, the visited network and home network ../data/rfc/rfc8559.txt- cannot communicate privately in the presence of proxies. This ../data/rfc/rfc8559.txt- limitation originates from the design of RADIUS for Access-Request ../data/rfc/rfc8559.txt: and Accounting-Request packets. That limitation is then carried over ../data/rfc/rfc8559.txt- to CoA-Request and Disconnect-Request packets. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- the NAS. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- When Operator-Name and/or Operator-NAS-Identifier are received by a ../data/rfc/rfc8559.txt- proxy, the proxy MUST pass those attributes through unchanged. This ../data/rfc/rfc8559.txt- requirement applies to all proxies, including proxies that forward ../data/rfc/rfc8559.txt: any or all of Access-Request, Accounting-Request, CoA-Request, and ../data/rfc/rfc8559.txt- Disconnect-Request packets. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- All attributes added by a RADIUS proxy when sending packets from the ../data/rfc/rfc8559.txt- visited network to the home network MUST be removed by the ../data/rfc/rfc8559.txt- corresponding CoA proxy from packets traversing the reverse path. -- ../data/rfc/rfc8559.txt- trust instead of on technical means. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- CoA packet proxying has all of the same issues as those noted above. ../data/rfc/rfc8559.txt- We note that the proxies that see and can modify CoA packets are ../data/rfc/rfc8559.txt- generally the same proxies that can see or modify Access-Request and ../data/rfc/rfc8559.txt: Accounting-Request packets. As such, there are few additional ../data/rfc/rfc8559.txt- security implications in allowing CoA proxying. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- The main security implication that remains is that home networks now ../data/rfc/rfc8559.txt- have the ability to disconnect or change the authorization of users ../data/rfc/rfc8559.txt- in a visited network. As this capability is only enabled when mutual -- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- Trusted parties can modify a user's session on the NAS only when they ../data/rfc/rfc8559.txt- have sufficient information to identify that session. In practice, ../data/rfc/rfc8559.txt- this limitation means that those parties already have access to the ../data/rfc/rfc8559.txt- user's session information. In other words, those parties are the ../data/rfc/rfc8559.txt: proxies who are already forwarding Access-Request and Accounting- ../data/rfc/rfc8559.txt- Request packets. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc8559.txt- DOI 10.17487/RFC8174, May 2017, ../data/rfc/rfc8559.txt- <https://www.rfc-editor.org/info/rfc8174>. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt-8.2. Informative References ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, ../data/rfc/rfc8559.txt- DOI 10.17487/RFC2866, June 2000, ../data/rfc/rfc8559.txt- <https://www.rfc-editor.org/info/rfc2866>. ../data/rfc/rfc8559.txt- ../data/rfc/rfc8559.txt-Authors' Addresses ../data/rfc/rfc8559.txt- -- ../data/rfc/rfc599.txt- regardless of the terminal option. See Reference 9 for ../data/rfc/rfc599.txt- discussion of the virtues of compression. ../data/rfc/rfc599.txt- ../data/rfc/rfc599.txt- 2. Automatic Coldstart Job Resubmission ../data/rfc/rfc599.txt- ../data/rfc/rfc599.txt: If "R" (Restart) is specified in the accounting field on the ../data/rfc/rfc599.txt- JOB card and if this option is chosen, RJS will automatically ../data/rfc/rfc599.txt- resubmit the job from the beginning if the CCN operating system ../data/rfc/rfc599.txt- should be "coldstarted" before all output from the job is ../data/rfc/rfc599.txt- returned. Otherwise, the job will be lost and must be ../data/rfc/rfc599.txt- resubmitted from the remote terminal in case of a coldstart. -- ../data/rfc/rfc3127.txt- B. Wolff ../data/rfc/rfc3127.txt- Databus Inc. ../data/rfc/rfc3127.txt- June 2001 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Authentication, Authorization, and Accounting: ../data/rfc/rfc3127.txt- Protocol Evaluation ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-Status of this Memo ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- This memo provides information for the Internet community. It does -- ../data/rfc/rfc3127.txt- Copyright (C) The Internet Society (2001). All Rights Reserved. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-Abstract ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- This memo represents the process and findings of the Authentication, ../data/rfc/rfc3127.txt: Authorization, and Accounting Working Group (AAA WG) panel evaluating ../data/rfc/rfc3127.txt- protocols proposed against the AAA Network Access Requirements, RFC ../data/rfc/rfc3127.txt- 2989. Due to time constraints of this report, this document is not ../data/rfc/rfc3127.txt- as fully polished as it might have been desired. But it remains ../data/rfc/rfc3127.txt- mostly in this state to document the results as presented. ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- 2. Protocol Proposals . . . . . . . . . . . . . . . . . . . . . . .8 ../data/rfc/rfc3127.txt- 3. Item Level Compliance Evaluation . . . . . . . . . . . . . . . 8 ../data/rfc/rfc3127.txt- 3.1 General Requirements . . . . . . . . . . . . . . . . . . . . . 9 ../data/rfc/rfc3127.txt- 3.2 Authentication Requirements. . . . . . . . . . . . . . . . . .11 ../data/rfc/rfc3127.txt- 3.3 Authorization Requirements . . . . . . . . . . . . . . . . . .12 ../data/rfc/rfc3127.txt: 3.4 Accounting Requirements . . . . . . . . . . . . . . . . . . .12 ../data/rfc/rfc3127.txt- 3.5 MOBILE IP Requirements . . . . . . . . . . . . . . . . . . . .13 ../data/rfc/rfc3127.txt- 4. Protocol Evaluation Summaries . . . . . . . . . . . . . . . . .14 ../data/rfc/rfc3127.txt- 4.1 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 ../data/rfc/rfc3127.txt- 4.2 Radius++ . . . . . . . . . . . . . . . . . . . . . . . . . . .14 ../data/rfc/rfc3127.txt- 4.3 Diameter . . . . . . . . . . . . . . . . . . . . . . . . . . .14 -- ../data/rfc/rfc3127.txt- A. Appendix A - Summary Evaluations . . . . . . . . . . . . . . .17 ../data/rfc/rfc3127.txt- B. Appendix B - Review of the Requirements . . . . . . . . . . . .18 ../data/rfc/rfc3127.txt- B.1 General Requirements. . . . . . . . . . . . . . . . . . . . . .18 ../data/rfc/rfc3127.txt- B.2 Authentication Requirements . . . . . . . . . . . . . . . . . .19 ../data/rfc/rfc3127.txt- B.3 Authorization Requirements. . . . . . . . . . . . . . . . . . .19 ../data/rfc/rfc3127.txt: B.4 Accounting Requirements . . . . . . . . . . . . . . . . . . . .20 ../data/rfc/rfc3127.txt- C. Appendix C - Position Briefs . . . . . . . . . . . . . . . . .21 ../data/rfc/rfc3127.txt- C.1 SNMP PRO Evaluation . . . . . . . . . . . . . . . . . . . . .21 ../data/rfc/rfc3127.txt- C.2 SNMP CON Evaluation . . . . . . . . . . . . . . . . . . . . .28 ../data/rfc/rfc3127.txt- C.3 RADIUS+ PRO Evaluation . . . . . . . . . . . . . . . . . . . .33 ../data/rfc/rfc3127.txt- C.4 RADIUS+ CON Evaluation . . . . . . . . . . . . . . . . . . . .37 -- ../data/rfc/rfc3127.txt- did a requirement by requirement discussion, then a discussion of ../data/rfc/rfc3127.txt- each of the protocols. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- The final phase was for each member to provide his final summary ../data/rfc/rfc3127.txt- evaluation for each of the protocols. Each proposal was scored as ../data/rfc/rfc3127.txt: either Not Acceptable, Acceptable Only For Accounting, Acceptable ../data/rfc/rfc3127.txt- with Engineering and Fully Acceptable. Where a proposal was ../data/rfc/rfc3127.txt- acceptable with engineering, the member indicated whether it would be ../data/rfc/rfc3127.txt- a small, medium or large amount. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- It should be noted that score indicated the opinion of the team -- ../data/rfc/rfc3127.txt- All of the protocols were weak to non-existent on specifying how this ../data/rfc/rfc3127.txt- would be done in a web of proxies situation. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 3.3.8 Unsolicited Disconnect - SNMP:T, RADIUS:P, Diameter:T, COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt:3.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 3.4.1 Real Time Accounting - SNMP:T, RADIUS:T, Diameter:T, COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 3.4.2 Mandatory Compact Encoding - SNMP:T, RADIUS:T, Diameter:T, ../data/rfc/rfc3127.txt- COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 3.4.3 Accounting Record Extensibility - SNMP:T, RADIUS:T, ../data/rfc/rfc3127.txt- Diameter:T, COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 3.4.4 Batch Accounting - SNMP:T, RADIUS:F, Diameter:P, COPS:P ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Some members of the group are not sure how this fits into the rest of ../data/rfc/rfc3127.txt- the AAA protocol, which is primarily real-time and event driven. ../data/rfc/rfc3127.txt- Would this be better met with FTP? ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 3.4.5 Guaranteed Delivery - SNMP:T, RADIUS:T, Diameter:T, COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 3.4.6 Accounting Timestamps - SNMP:T, RADIUS:T, Diameter:T, ../data/rfc/rfc3127.txt- COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 3.4.7 Dynamic Accounting - SNMP:T, RADIUS:T, Diameter:T, COPS:T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-3.5 MOBILE IP Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 3.5.1 Encoding of MOBILE IP Registration Messages - SNMP:T, ../data/rfc/rfc3127.txt- RADIUS:T/P, Diameter:T, COPS:T -- ../data/rfc/rfc3127.txt-4. Protocol Evaluation Summaries ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-4.1. SNMP ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- SNMP is generally not acceptable as a general AAA protocol. There ../data/rfc/rfc3127.txt: may be some utility in its use for accounting, but the amount of ../data/rfc/rfc3127.txt- engineering to turn it into a viable A&A protocol argues against ../data/rfc/rfc3127.txt- further consideration. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-4.2. Radius++ ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- State Reconciliation - Clarification [f] should be brought in line ../data/rfc/rfc3127.txt- with NASREQ requirements. The clarification imposes overbroad ../data/rfc/rfc3127.txt- requirements not required by NASREQ and NASREQ is the only service ../data/rfc/rfc3127.txt- with requirements in this area. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt:B.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Real-Time accounting - [Table] Replace MOBILE IP footnote [39] with a ../data/rfc/rfc3127.txt- footnote pointing to section 3.1 of [3] as being more appropriate. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Mandatory Compact Encoding - [Table] Delete MOBILE IP "M" and ../data/rfc/rfc3127.txt- footnote "33" as the reference does not support the requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Accounting Record Extensibility - [Table] Delete NASREQ "M" and ../data/rfc/rfc3127.txt- footnote "15" as the reference does not support the requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Accounting Time Stamps - [Table] Delete MOBILE IP "S" and footnote ../data/rfc/rfc3127.txt- "30" as they don't support the requirement. Replace MOBILE IP ../data/rfc/rfc3127.txt- footnote "40" with a footnote pointing to section 3.1 of [3] as being ../data/rfc/rfc3127.txt- more appropriate. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Dynamic Accounting - [Table] Replace the NASREQ footnote "18" with a ../data/rfc/rfc3127.txt- footnote pointing to section 8.4.1.5 of [3]. Delete the MOBILE IP ../data/rfc/rfc3127.txt- "S" and footnote "30" as the reference does not support the ../data/rfc/rfc3127.txt- requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Footnote section. -- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited Disconnect - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- The document indicates that SNMP can easily provide objects to ../data/rfc/rfc3127.txt- control this operation. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- SNMP can provide this mode of operation. The document outlines ../data/rfc/rfc3127.txt- methods both fully within SNMP and using SNMP to interface with other ../data/rfc/rfc3127.txt- transfer methods. Many providers already use SNMP for real time ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- protocols to handle data transmissions where the BER encoding of SNMP ../data/rfc/rfc3127.txt- objects would be considered excessive. SNMP BER encoded protocol ../data/rfc/rfc3127.txt- elements are generally in a fairly compact encoding form compared ../data/rfc/rfc3127.txt- with text based forms (as used in some existing radius log file ../data/rfc/rfc3127.txt- implementations). This interacts with the general requirement for ../data/rfc/rfc3127.txt: carrying service specific attributes and the accounting requirement ../data/rfc/rfc3127.txt- for extensibility. With careful MIB design and future work on SNMP ../data/rfc/rfc3127.txt- payload compression the SNMP coding overhead can be comparable with ../data/rfc/rfc3127.txt- other less extensible protocols. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- SNMP has a strong tradition of allowing vendor specific data objects ../data/rfc/rfc3127.txt- to be transferred. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- There are many methods which a SNMP based system could use for batch ../data/rfc/rfc3127.txt: accounting. The document discusses SNMP parameters to control the ../data/rfc/rfc3127.txt- batching process and indicates that certain existing MIBs contain ../data/rfc/rfc3127.txt- examples of implementation strategies. SNMP log tables can provide ../data/rfc/rfc3127.txt: accounting information which can be obtained in many methods not ../data/rfc/rfc3127.txt- directly related to real time capabilities. The underlying system ../data/rfc/rfc3127.txt- buffering requirements are similar regardless of the protocol used to ../data/rfc/rfc3127.txt- transport the information. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - Grade T -- ../data/rfc/rfc3127.txt- in a pull model (versus the often assumed push model) the data ../data/rfc/rfc3127.txt- gatherer can absolutely know that all data has been transfered. In ../data/rfc/rfc3127.txt- the common push model the data receiver does not know if the ../data/rfc/rfc3127.txt- originator of the data is having problems delivering the data. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Timestamps are used for many SNMP based operations. The document ../data/rfc/rfc3127.txt- points at the DateAndTime textual convention which is available for ../data/rfc/rfc3127.txt- use. As with all environments the timestamps accuracy needs ../data/rfc/rfc3127.txt- evaluation before the information should be relied upon. -- ../data/rfc/rfc3127.txt-Mitton, et al. Informational [Page 26] ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-RFC 3127 AAA Protocol Evaluation Process June 2001 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - Grade T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- As long as there is some way to relate multiple records together ../data/rfc/rfc3127.txt- there are no problems resolving multiple records for the same ../data/rfc/rfc3127.txt- session. This interacts with the scalability requirement and care ../data/rfc/rfc3127.txt- must be taken when implementing a system with both of these -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited Disconnect - Assuming that the NAS is an SNMP agent ../data/rfc/rfc3127.txt- for an AAA server acting as an SNMP manager the evaluator concurs. ../data/rfc/rfc3127.txt- Eval - No Change (T). ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - SNMP Informs could accomplish the ../data/rfc/rfc3127.txt- requirements. Eval - No Change (T) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory Compact Encoding - This is a good and reasonable ../data/rfc/rfc3127.txt- response. SNMP can vary the style and type of reported objects to ../data/rfc/rfc3127.txt- meet specific needs. Eval - No Change (T). ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - MIBs are extensible. Eval - ../data/rfc/rfc3127.txt- No Change (T) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - MIBs provide data collection at various ../data/rfc/rfc3127.txt- times. Eval - No Change (T) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - There's some weasel wording here with ../data/rfc/rfc3127.txt- respect to what guaranteed means, but the description of mechanisms ../data/rfc/rfc3127.txt- does appear to meet the requirements. Eval - No Change (T) -- ../data/rfc/rfc3127.txt-Mitton, et al. Informational [Page 31] ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-RFC 3127 AAA Protocol Evaluation Process June 2001 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - Accounting records can use the ../data/rfc/rfc3127.txt- DateAndTime Textual Convention to mark their times. Eval - No Change ../data/rfc/rfc3127.txt- (T) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - The author may have partially missed the ../data/rfc/rfc3127.txt- point on this requirement. While the number of records per session ../data/rfc/rfc3127.txt- is not of great interest, the delivery may be. The author should go ../data/rfc/rfc3127.txt- a little more into depth on this requirement. Eval - No Change (T) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5 MOBILE IP Requirements -- ../data/rfc/rfc3127.txt- The evaluator also notes that the scaling issues of SNMP in SNMP ../data/rfc/rfc3127.txt- agent/manager mode are in no way indicative of SNMP in AAA ../data/rfc/rfc3127.txt- client/server mode. This has a possibility to substantially impair ../data/rfc/rfc3127.txt- SNMPs use in an AAA role. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: However, SNMP may have a reasonable role in the Accounting space. ../data/rfc/rfc3127.txt- SNMP appears to map well with existing technology, and with the ../data/rfc/rfc3127.txt- requirements. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 3. General Requirements ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 4. Summary Recommendation ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Recommended in Part. SNMP is NOT RECOMMENDED for use as either an ../data/rfc/rfc3127.txt- authentication or authorization protocol, but IS RECOMMENDED for use ../data/rfc/rfc3127.txt: as an accounting protocol. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-C.3 RADIUS+ PRO Evaluation ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Evaluation of RADIUS AAA Requirements PRO Evaluation ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- 1.3.7 [g] State Reconciliation - Eval - F (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 [h] Unsolicited Disconnect - RADIUS++ extensions to support. ../data/rfc/rfc3127.txt- Eval - T. (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 [a] Real Time Accounting - Eval - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 [b] Mandatory Compact Encoding - Eval - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 [c] Accounting Record Extensibility - Eval - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 [d] Batch Accounting - RADIUS++ offers no new features to ../data/rfc/rfc3127.txt: support batch accounting. Eval - F No change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 [e] Guaranteed Delivery - Retransmission algorithm employed. ../data/rfc/rfc3127.txt- Eval - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 [f] Accounting Timestamps - RADIUS++ extensions support ../data/rfc/rfc3127.txt- timestamps. Eval - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 [g] Dynamic Accounting - RADIUS++ extensions to support. Eval ../data/rfc/rfc3127.txt- - T (no change) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5 MOBILE IP Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5.1 [a] Encoding of MOBILE IP Registration Messages - RADIUS++ -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- RADIUS++ as it could be developed would provide a level of backward ../data/rfc/rfc3127.txt- compatibility that other protocols cannot achieve. By extending ../data/rfc/rfc3127.txt- RADIUS in the simple ways described in the documents listed above, ../data/rfc/rfc3127.txt- the transition from existing RADIUS-based installations to RADIUS++ ../data/rfc/rfc3127.txt: installations would be easier. Although accounting continues to be ../data/rfc/rfc3127.txt- weaker than other approaches, the protocol remains a strong contender ../data/rfc/rfc3127.txt- for continued use in the areas of Authorization and Authentication. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-C.4 RADIUS+ CON Evaluation ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited Disconnect - Much of the discussion from the ../data/rfc/rfc3127.txt- previous section applies to this section. The document [1] claims ../data/rfc/rfc3127.txt- "F", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - RADIUS Accounting is widely deployed and ../data/rfc/rfc3127.txt- functions within the definition of real time contained in [3]. The ../data/rfc/rfc3127.txt- document [1] claims "T", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.2 Mandatory Compact Encoding - RADIUS Accounting contains TLVs ../data/rfc/rfc3127.txt: for relevant accounting information, each of which is fairly compact. ../data/rfc/rfc3127.txt- Note that the term "bloated" in [3] is somewhat subjective. The ../data/rfc/rfc3127.txt- document [1] claims "T", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - RADIUS Accounting may be ../data/rfc/rfc3127.txt- extended by means of new attributes or by using the Vendor-Specific ../data/rfc/rfc3127.txt- attribute. While it has been argued that the existing attribute ../data/rfc/rfc3127.txt- number space is too small for the required expansion capabilities, ../data/rfc/rfc3127.txt- the protocol [2] addresses this problem in section 3.0, and its ../data/rfc/rfc3127.txt- subsections, of [2]. The document [1] claims "T", and the evaluator ../data/rfc/rfc3127.txt- concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - RADIUS has no explicit provisions for batch ../data/rfc/rfc3127.txt: accounting, nor does the protocol [2] address how this feature might ../data/rfc/rfc3127.txt- be accomplished. The document [1] claims "F", and the evaluator ../data/rfc/rfc3127.txt- concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.5 Guaranteed Delivery - RADIUS Accounting is widely deployed and ../data/rfc/rfc3127.txt- provides guaranteed delivery within the context of the required ../data/rfc/rfc3127.txt- application-level acknowledgment. The document [1] claims "T", and ../data/rfc/rfc3127.txt- the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - The document [1] indicates that this ../data/rfc/rfc3127.txt- feature is specified in [4] as the Event-Timestamp attribute. The ../data/rfc/rfc3127.txt- document claims [1] "T", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - The document [1] indicates that this ../data/rfc/rfc3127.txt: requirement is partially met using the accounting interim update ../data/rfc/rfc3127.txt- message as specified in [4]. In addition, there was work in the ../data/rfc/rfc3127.txt: RADIUS WG regarding session accounting extensions that has not been ../data/rfc/rfc3127.txt- included in [4], i.e., some expired works in progress. The document ../data/rfc/rfc3127.txt- claims [1] "P", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- Evaluator - Basavaraj Patil ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Ref [1] is "Diameter Framework Document". ../data/rfc/rfc3127.txt- Ref [2] is "Diameter NASREQ Extensions". ../data/rfc/rfc3127.txt- Ref [3] is the AAA evaluation criteria as modified by us. ../data/rfc/rfc3127.txt: Ref [4] is "Diameter Accounting Extensions". ../data/rfc/rfc3127.txt- Ref [5] is "Diameter Mobile IP Extensions". ../data/rfc/rfc3127.txt- Ref [6] is "Diameter Base Protocol". ../data/rfc/rfc3127.txt- Ref [7] is "Diameter Strong Security Extension". ../data/rfc/rfc3127.txt- Ref [8] is "Comparison of Diameter Against AAA Network Access ../data/rfc/rfc3127.txt- Requirements". -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- The base protocol [6] defines a set of session termination messages ../data/rfc/rfc3127.txt- which can be used for unsolicited disconnects. Evaluator concurs ../data/rfc/rfc3127.txt- with the "T" compliance on this requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Evaluator concurs with the "T" compliance based on explanations in ../data/rfc/rfc3127.txt- [4]. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory Compact Encoding ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Use of Accounting Data Interchange Format (ADIF)-Record-AVP for ../data/rfc/rfc3127.txt: compact encoding of accounting data. Evaluator concurs with the "T" ../data/rfc/rfc3127.txt- compliance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ADIF can be extended. Evaluator concurs with the "T" compliance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Sec 1.2 of [4] provides support for batch accounting. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Sections 2.1/2 of [4] describe messages that are used to guarantee ../data/rfc/rfc3127.txt: delivery of accounting records. Evaluator concurs with the "T" ../data/rfc/rfc3127.txt- compliance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Timestamp AVP [6] is present in all accounting messages. Evaluator ../data/rfc/rfc3127.txt- concurs with the "T" compliance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Interim accounting records equivalent to a call-in-progress can be ../data/rfc/rfc3127.txt- sent periodically. Evaluator concurs with the "T" compliance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- no session-id is defined to ask for info on all sessions, not just ../data/rfc/rfc3127.txt- those "owned" by the requester. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited Disconnect - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory Compact Encoding - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - P (was T). The evaluator suspects that ../data/rfc/rfc3127.txt: simply sending multiple accounting records in a single request is not ../data/rfc/rfc3127.txt: how batch accounting should or will be done. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - T (The evaluator notes with amusement ../data/rfc/rfc3127.txt- that NTP time cycles in 2036, not 2038 as claimed in the Diameter ../data/rfc/rfc3127.txt- drafts. It's Unix time that will set the sign bit in 2038.) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5 MOBILE IP Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5.1 Encoding of MOBILE IP Registration Messages - T ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt-Mitton, et al. Informational [Page 57] ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-RFC 3127 AAA Protocol Evaluation Process June 2001 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - The document [1] claims "T", and the ../data/rfc/rfc3127.txt- evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory Compact Encoding - Note that the term "bloated" in ../data/rfc/rfc3127.txt- [3] is somewhat subjective. The document [1] claims "T", and the ../data/rfc/rfc3127.txt- evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - The document [1] claims "T", ../data/rfc/rfc3127.txt- and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - The protocol [2] [5] does not address how in ../data/rfc/rfc3127.txt- detail this feature might be accomplished. The document [1] claims ../data/rfc/rfc3127.txt- "T", and the awards "P". ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - Guaranteed delivery is provided by TCP. ../data/rfc/rfc3127.txt- The document [1] claims "T", and the evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - The document [1] claims "T", and the ../data/rfc/rfc3127.txt- evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - The document [1] claims "T", and the ../data/rfc/rfc3127.txt- evaluator concurs. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5 MOBILE IP Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5.1 Encoding of MOBILE IP Registration Messages - The document [1] -- ../data/rfc/rfc3127.txt- multi-administration situation, or in any proxy situation. Multi- ../data/rfc/rfc3127.txt- server coordination, if allowed, seems to be lacking a description. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited Disconnect - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4 Accounting Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real Time Accounting - T ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory Compact Encoding - T This evaluator does not believe ../data/rfc/rfc3127.txt- that ADIF is a compact format. But does believe that the Information ../data/rfc/rfc3127.txt: Model author can design a PIB with accounting statistics that will ../data/rfc/rfc3127.txt- satisfy this requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility - P (was T) By defining a ../data/rfc/rfc3127.txt- vendor/device specific PIB for additional elements. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - P (was T) Offered description does not seem ../data/rfc/rfc3127.txt- to match the requirement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - P (was T) TCP does NOT "guarantee ../data/rfc/rfc3127.txt- delivery", only application Acks can do that. If these acks can be ../data/rfc/rfc3127.txt- generated similar to the description here, then this requirement is -- ../data/rfc/rfc3127.txt-Mitton, et al. Informational [Page 63] ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt-RFC 3127 AAA Protocol Evaluation Process June 2001 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps - T Another item for the "Information ../data/rfc/rfc3127.txt- Model" author. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting - T Event and interim accounting can be ../data/rfc/rfc3127.txt- supported. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5 MOBILE IP Requirements ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5.1 Encoding of MOBILE IP Registration Messages - P (was T) Yet -- ../data/rfc/rfc3127.txt- but workable. ../data/rfc/rfc3127.txt- * With regard to Authentication, every technique can be supported ../data/rfc/rfc3127.txt- although support for PAP or cleartext passwords is weak. ../data/rfc/rfc3127.txt- * With regard to Authorization, there is nothing in the requirements ../data/rfc/rfc3127.txt- that cannot be supported. ../data/rfc/rfc3127.txt: * Accounting everything supported, although there is no specific ../data/rfc/rfc3127.txt- consideration for compact encoding. SNMP not as bloated as ASCII ../data/rfc/rfc3127.txt- or XML based encoding schemes. Requirement for compact encoding ../data/rfc/rfc3127.txt- weakly indicated in requirements anyway. Server-specific ../data/rfc/rfc3127.txt- attributes needed, but compact encoding preclude w/o tradeoffs. ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- response document. * SNMP is just data moving protocol. ../data/rfc/rfc3127.txt- * Message formats not specified. ../data/rfc/rfc3127.txt- * What is the method for supporting authentication? Storing the ../data/rfc/rfc3127.txt- information is handled, but what do the nodes do with it? ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: * The protocol certainly shined in the area of meeting accounting ../data/rfc/rfc3127.txt- requirements. ../data/rfc/rfc3127.txt: * Although SNMP could certainly play a role in the accounting space, ../data/rfc/rfc3127.txt- it is unusable in the areas of Authorization and Authentication. ../data/rfc/rfc3127.txt- * The response document does not address how the problem will be ../data/rfc/rfc3127.txt- solved. ../data/rfc/rfc3127.txt- * It does not address the scalability issues that may arise in the ../data/rfc/rfc3127.txt- transition from a manager-agent mode of operation to a client- -- ../data/rfc/rfc3127.txt- compliance statement. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Conclusion from Dave : Not recommended (Details in the con ../data/rfc/rfc3127.txt- statement). ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Q: Is it possible to use it for accounting? ../data/rfc/rfc3127.txt- A: Authentication and Authorization could be separated, but ../data/rfc/rfc3127.txt: Accounting is the weak link in this protocol and hence is not ../data/rfc/rfc3127.txt- suitable. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- - Mark Steven's summary of the Pro statement ../data/rfc/rfc3127.txt- Agreed with most of the observations made by Dave Nelson. The ../data/rfc/rfc3127.txt- biggest thing going for it is that it has been running in this -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.3/4/5/6/7/8 ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Call dropped. Somebody else needs to fill in here. (Mike ????) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Accounting Requirements: ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real time accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No dissent. No discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory compact encoding ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Comment made regarding ASN.1 and XML in this context ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No specific wording in the document to show how this can be done. ../data/rfc/rfc3127.txt: Basically it is real time accounting without the real time ../data/rfc/rfc3127.txt- constraint. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- It may be a trivial issue. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.5/6 Guaranteed Delivery/Accounting Timestamps ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- There is ongoing discussion in the AAA WG on this requirement. The ../data/rfc/rfc3127.txt- RADIUS WG is also discussing this (comment). The idea here is to be ../data/rfc/rfc3127.txt- able to send the equivalent of a phonecall in progress type of ../data/rfc/rfc3127.txt- messages. -- ../data/rfc/rfc3127.txt- ACL: filter style syntax seems inadequate ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- state reconciliation: difficult over global multiple ../data/rfc/rfc3127.txt- administrative domains ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: batch accounting: implementation doesn't meet intended need ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- firewall friendly: until firewalls support SCTP will be failure ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- summary very close ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.8 Unsolicited disconnect ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: Accounting Requirements: ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.1 Real time accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 Mandatory compact encoding ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Is ADIF compact? ../data/rfc/rfc3127.txt- Is ADIF UTF-8 compatible? ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.3 Accounting Record Extensibility ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Diameter okay for small batches. Specification doesn't seem ../data/rfc/rfc3127.txt- suitable for large batch transfers (100,000+ records) ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.6 Accounting Timestamps ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.7 Dynamic Accounting ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- No Discussion ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Mobile IP Requirements: ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.6 Access Rules - lots of work needed. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.3.7 State Reconciliation - multi-server coordination is an issue. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 Batch Accounting - for small batches, perhaps. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 Guaranteed Delivery - application acks are an area of mystery. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.5.2 Firewall-Friendly - COPS like any Swiss-Army-Knife protocol ../data/rfc/rfc3127.txt- (SNMP) requires the firewall to look inside the packets, because -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.2 No comment. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.3 No comment. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt: 1.4.4 There was significant skepticism regarding batch accounting as ../data/rfc/rfc3127.txt- part of the AAA protocol. How large are the "batches"? Should this ../data/rfc/rfc3127.txt- requirement be met using FTP or something similar? ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- 1.4.5 No comment. ../data/rfc/rfc3127.txt- -- ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- A poll was taken on overall acceptability and effort for each of the ../data/rfc/rfc3127.txt- protocols submitted, for requirements conformance. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- Each member indicated their evaluation in the form of (Acceptable, ../data/rfc/rfc3127.txt: Not-Acceptable) with qualifiers for (Accounting, or effort to change) ../data/rfc/rfc3127.txt- This information will be summarized in the final report. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- A general wrap-up discussion was held. ../data/rfc/rfc3127.txt- ../data/rfc/rfc3127.txt- It was considered important that as much of the thought processes and -- ../data/rfc/rfc6709.txt-4.5. Cryptographic Agility ../data/rfc/rfc6709.txt- ../data/rfc/rfc6709.txt- Extensibility with respect to cryptographic algorithms is desirable ../data/rfc/rfc6709.txt- in order to provide resilience against the compromise of any ../data/rfc/rfc6709.txt- particular algorithm. Section 3 of "Guidance for Authentication, ../data/rfc/rfc6709.txt: Authorization, and Accounting (AAA) Key Management" BCP 132 [RFC4962] ../data/rfc/rfc6709.txt- provides some basic advice: ../data/rfc/rfc6709.txt- ../data/rfc/rfc6709.txt- The ability to negotiate the use of a particular cryptographic ../data/rfc/rfc6709.txt- algorithm provides resilience against compromise of a particular ../data/rfc/rfc6709.txt- cryptographic algorithm.... This is usually accomplished by -- ../data/rfc/rfc6709.txt- for Multiprotocol Label Switching (MPLS) and Generalized ../data/rfc/rfc6709.txt- MPLS (GMPLS) Protocols and Procedures", BCP 129, RFC 4929, ../data/rfc/rfc6709.txt- June 2007. ../data/rfc/rfc6709.txt- ../data/rfc/rfc6709.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6709.txt: Authorization, and Accounting (AAA) Key Management", BCP ../data/rfc/rfc6709.txt- 132, RFC 4962, July 2007. ../data/rfc/rfc6709.txt- ../data/rfc/rfc6709.txt- [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication ../data/rfc/rfc6709.txt- Dial In User Service (RADIUS) Implementation Issues and ../data/rfc/rfc6709.txt- Suggested Fixes", RFC 5080, December 2007. -- ../data/rfc/rfc5677.txt- DHCP servers. ../data/rfc/rfc5677.txt- ../data/rfc/rfc5677.txt- Domain Name System (DNS): a protocol described in [RFC1035] that ../data/rfc/rfc5677.txt- translates domain names to IP addresses. ../data/rfc/rfc5677.txt- ../data/rfc/rfc5677.txt: Authentication, Authorization, and Accounting (AAA): a set of network ../data/rfc/rfc5677.txt- management services that respectively determine the validity of a ../data/rfc/rfc5677.txt- user's ID, determine whether a user is allowed to use network ../data/rfc/rfc5677.txt- resources, and track users' use of network resources. ../data/rfc/rfc5677.txt- ../data/rfc/rfc5677.txt- Home AAA (AAAh): an AAA server located on the MN's home network. -- ../data/rfc/rfc6058.txt- LMA by means of signaling. An LMA can establish or change the ../data/rfc/rfc6058.txt- settings of a transient binding according to events, such as a ../data/rfc/rfc6058.txt- timeout, a change of the radio technology due to a handover, or a ../data/rfc/rfc6058.txt- completed set up of a radio bearer or configuration of an MN's IP ../data/rfc/rfc6058.txt- address. Such an event may also be triggered by other protocols, ../data/rfc/rfc6058.txt: e.g., Authentication, Authorization, and Accounting (AAA) messages. ../data/rfc/rfc6058.txt- This document specifies advanced binding cache control by means of a ../data/rfc/rfc6058.txt- Transient Binding option, which can be used with PMIPv6 signaling to ../data/rfc/rfc6058.txt- support transient BCEs. Furthermore, this document specifies ../data/rfc/rfc6058.txt- forwarding characteristics according to the current state of a ../data/rfc/rfc6058.txt- binding to switch the forwarding tunnel at the LMA from the pMAG to -- ../data/rfc/rfc2661.txt- The Remote System initiates a PPP connection across the PSTN Cloud to ../data/rfc/rfc2661.txt- an LAC. The LAC then tunnels the PPP connection across the Internet, ../data/rfc/rfc2661.txt- Frame Relay, or ATM Cloud to an LNS whereby access to a Home LAN is ../data/rfc/rfc2661.txt- obtained. The Remote System is provided addresses from the HOME LAN ../data/rfc/rfc2661.txt- ../data/rfc/rfc2661.txt: via PPP NCP negotiation. Authentication, Authorization and Accounting ../data/rfc/rfc2661.txt- may be provided by the Home LAN's Management Domain as if the user ../data/rfc/rfc2661.txt- were connected to a Network Access Server directly. ../data/rfc/rfc2661.txt- ../data/rfc/rfc2661.txt- A LAC Client (a Host which runs L2TP natively) may also participate ../data/rfc/rfc2661.txt- in tunneling to the Home LAN without use of a separate LAC. In this ../data/rfc/rfc2661.txt- case, the Host containing the LAC Client software already has a ../data/rfc/rfc2661.txt- connection to the public Internet. A "virtual" PPP connection is then ../data/rfc/rfc2661.txt- created and the local L2TP LAC Client software creates a tunnel to ../data/rfc/rfc2661.txt- the LNS. As in the above case, Addressing, Authentication, ../data/rfc/rfc2661.txt: Authorization and Accounting will be provided by the Home LAN's ../data/rfc/rfc2661.txt- Management Domain. ../data/rfc/rfc2661.txt- ../data/rfc/rfc2661.txt- ../data/rfc/rfc2661.txt- ../data/rfc/rfc2661.txt- -- ../data/rfc/rfc5944.txt- ../data/rfc/rfc5944.txt- When the mobile node receives an Agent Advertisement with the 'R' bit ../data/rfc/rfc5944.txt- set, the mobile node SHOULD register through the foreign agent, even ../data/rfc/rfc5944.txt- when the mobile node might be able to acquire its own co-located ../data/rfc/rfc5944.txt- care-of address. This feature is intended to allow sites to enforce ../data/rfc/rfc5944.txt: visiting policies (such as accounting) that require exchanges of ../data/rfc/rfc5944.txt- authorization. ../data/rfc/rfc5944.txt- ../data/rfc/rfc5944.txt- If formerly reserved bits require some kind of monitoring/enforcement ../data/rfc/rfc5944.txt- at the foreign link, foreign agents implementing the new ../data/rfc/rfc5944.txt- specification for the formerly reserved bits can set the 'R' bit. -- ../data/rfc/rfc5944.txt- ../data/rfc/rfc5944.txt- [45] Stevens, R., "TCP/IP Illustrated, Volume 1: The Protocols", ../data/rfc/rfc5944.txt- Addison-Wesley, Reading, Massachusetts, 1994. ../data/rfc/rfc5944.txt- ../data/rfc/rfc5944.txt- [46] Perkins, C. and P. Calhoun, "Authentication, Authorization, and ../data/rfc/rfc5944.txt: Accounting (AAA) Registration Keys for Mobile IPv4", RFC 3957, ../data/rfc/rfc5944.txt- March 2005. ../data/rfc/rfc5944.txt- ../data/rfc/rfc5944.txt- [47] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, ../data/rfc/rfc5944.txt- RFC 1661, July 1994. ../data/rfc/rfc5944.txt- -- ../data/rfc/rfc870.txt- 1-149 1-225 Unassigned [JBP] ../data/rfc/rfc870.txt- 150 226 Xerox NS IP [62,LLG] ../data/rfc/rfc870.txt- 151 227 Unassigned [JBP] ../data/rfc/rfc870.txt- 152 230 PARC Universal Protocol [6,EAT3] ../data/rfc/rfc870.txt- 153 231 TIP Status Reporting [JGH] ../data/rfc/rfc870.txt: 154 232 TIP Accounting [JGH] ../data/rfc/rfc870.txt- 155 233 Internet Protocol (regular) [16,47,JBP] ../data/rfc/rfc870.txt- 156-158 234-236 Internet Protocol (experimental) [16,47,JBP] ../data/rfc/rfc870.txt- 159-195 237-303 Unassigned [JBP] ../data/rfc/rfc870.txt- 196-255 304-377 Experimental Protocols [JBP] ../data/rfc/rfc870.txt- 248-255 370-377 Network Maintenance [JGH] -- ../data/rfc/rfc1678.txt- path. ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt- Corporate networks must meet promised levels of service while ../data/rfc/rfc1678.txt- controlling costs through efficient use of resources. The IETF ../data/rfc/rfc1678.txt- should consider both technical solutions (such as service classes and ../data/rfc/rfc1678.txt: priorities) and administrative ones (such as accounting) to promote ../data/rfc/rfc1678.txt- economy. ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt- Many businesses will not connect to a network until they are ../data/rfc/rfc1678.txt- confident that it will not significantly threaten the ../data/rfc/rfc1678.txt- confidentiality, integrity, or availability of their data. -- ../data/rfc/rfc1678.txt- To discourage waste of bandwidth and other expensive resources, ../data/rfc/rfc1678.txt- corporations want to account for their use. Direct cost recovery ../data/rfc/rfc1678.txt- would let an entity measure and benchmark its efficiency with minimal ../data/rfc/rfc1678.txt- economic distortion. Alternatives, such as placing these costs into ../data/rfc/rfc1678.txt- corporate overhead or charging per connection, make sense when the ../data/rfc/rfc1678.txt: administrative cost of implementing usage-based accounting is high ../data/rfc/rfc1678.txt- enough to introduce more economic distortion than the alternatives ../data/rfc/rfc1678.txt- would. For example, connection-based costs alone may be adequate for ../data/rfc/rfc1678.txt- a resource (such as LAN bandwidth) that is not scarce or expensive, ../data/rfc/rfc1678.txt- but a combination of a connection cost and a usage cost may be more ../data/rfc/rfc1678.txt- appropriate for a more scarce or expensive resource (such as WAN ../data/rfc/rfc1678.txt- bandwidth). Balance must be maintained between the overhead of ../data/rfc/rfc1678.txt: accounting and the granularity of cost allocation. ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt-Security ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt- Many corporations will stick with their private networks until public ../data/rfc/rfc1678.txt- ones can guarantee equivalent confidentiality, integrity, and -- ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt-RFC 1678 IPng Requirements of Large Corporate Networks August 1994 ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt- discourage inappropriate reservation of resources; e.g., a Telnet ../data/rfc/rfc1678.txt: connection probably doesn't need to reserve 45Mbps. Accounting, ../data/rfc/rfc1678.txt- class-of-service, and well-known-port distinctions are possible ways ../data/rfc/rfc1678.txt- to satisfy that requirement. ../data/rfc/rfc1678.txt- ../data/rfc/rfc1678.txt-Mobile Hosts ../data/rfc/rfc1678.txt- -- ../data/rfc/rfc1168.txt- contains the destination Internet addresses. Figure 4a illustrates ../data/rfc/rfc1168.txt- the path of mail from the Internet to the commercial sytems. Figure ../data/rfc/rfc1168.txt- 4b illustrates the path from the commercial systrems to the Internet. ../data/rfc/rfc1168.txt- Note: MCI Mail is not yet implemented. ../data/rfc/rfc1168.txt- ../data/rfc/rfc1168.txt: The CMR employs a simple accounting mechanism: a shell script counts ../data/rfc/rfc1168.txt- the number of times a string marker occurs in the MMDF logs. At the ../data/rfc/rfc1168.txt- end of the month, another script uses an "awk" program to total the ../data/rfc/rfc1168.txt- number of messages sent and received with each commercial system. The ../data/rfc/rfc1168.txt- Commercial Mail Relay is being developed by Craig E. Ward. Ann ../data/rfc/rfc1168.txt- Westine served as the Postmaster for both Intermail and the CMR until -- ../data/rfc/rfc1168.txt- The commercial systems are geared for paying customers to send and ../data/rfc/rfc1168.txt- receive mail to other paying customers. They are not equipped to ../data/rfc/rfc1168.txt- handle reverse billing, or "collect calls." ISI is currently charged ../data/rfc/rfc1168.txt- for connect time needed to transmit and receive mail to and from ../data/rfc/rfc1168.txt- other Internet sites. A possible solution to this problem would be ../data/rfc/rfc1168.txt: to extend the CMR. to include accounting and billing procedures that ../data/rfc/rfc1168.txt- would pass the costs of CMR to its users. ../data/rfc/rfc1168.txt- ../data/rfc/rfc1168.txt- What had been GTE Telemail became Sprint SprintMail, Telenet became ../data/rfc/rfc1168.txt- Sprintnet, and the host TELEMAIL/USA became SM66/USA. ../data/rfc/rfc1168.txt- -- ../data/rfc/rfc3432.txt- precedence). ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt-4.6 Errors and uncertainties ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- The description of any specific measurement method should include an ../data/rfc/rfc3432.txt: accounting and analysis of various sources of error or uncertainty. ../data/rfc/rfc3432.txt- The Framework RFC [3] provides general guidance on this point, but we ../data/rfc/rfc3432.txt- note here the following specifics related to periodic streams and ../data/rfc/rfc3432.txt- delay metrics: ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- + Error due to variation of incT. The reasons for this can be -- ../data/rfc/rfc3432.txt- relevant to this memo. The user's focus is on transport quality ../data/rfc/rfc3432.txt- evaluation from the application point of view. However, to properly ../data/rfc/rfc3432.txt- separate the quality contribution of the operating system and codec ../data/rfc/rfc3432.txt- on packet voice, for example, it is beneficial to be able to measure ../data/rfc/rfc3432.txt- quality at the IP level [6]. Link layer monitoring provides a way of ../data/rfc/rfc3432.txt: accounting for link layer characteristics such as bit error rates. ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- --------------- ../data/rfc/rfc3432.txt- | application | ../data/rfc/rfc3432.txt- --------------- ../data/rfc/rfc3432.txt- | transport | <-- -- ../data/rfc/rfc3432.txt- latter property means that measurement streams are transmitted in ../data/rfc/rfc3432.txt- both directions. Thus, the measurement provides information on ../data/rfc/rfc3432.txt- quality of service as experienced by two-way applications. ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- The downsides of round-trip measurement are the need for more ../data/rfc/rfc3432.txt: bandwidth than a one-way test and more complex accounting of packet ../data/rfc/rfc3432.txt- loss. Moreover, the stream that is returning towards the original ../data/rfc/rfc3432.txt- sender may be more bursty than the one on the first "leg" of the ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- ../data/rfc/rfc3432.txt- -- ../data/rfc/rfc5712.txt- and both bandwidth reservations cannot be satisfied on the R1-R4 ../data/rfc/rfc5712.txt- link. ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- Instead of sending a PathTear message for LSP2 upon preemption as ../data/rfc/rfc5712.txt- with hard preemption (which would result in an immediate traffic ../data/rfc/rfc5712.txt: disruption for LSP2), R1's local bandwidth accounting for LSP2 is ../data/rfc/rfc5712.txt- zeroed, and a PathErr message with error code "Reroute" and a value ../data/rfc/rfc5712.txt- "Reroute Request Soft Preemption" for LSP2 is issued. ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- Upon reception of the PathErr message for LSP2, R2 may update the ../data/rfc/rfc5712.txt- working copy of the TE-DB before calculating a new path for the new -- ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt-RFC 5712 MPLS-TE Soft Preemption January 2010 ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- By contrast, the mode of operation with soft preemption is as ../data/rfc/rfc5712.txt: follows: the preempting node's local bandwidth accounting for the ../data/rfc/rfc5712.txt- preempted TE LSP is zeroed and a PathErr with error code "Reroute", ../data/rfc/rfc5712.txt- and a error value "Reroute Request Soft Preemption" for that TE LSP ../data/rfc/rfc5712.txt- is issued upstream toward the head-end LSR. ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- If more than one soft preempted TE LSP has the same head-end LSR, -- ../data/rfc/rfc5712.txt- transparently. ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt-8. Management ../data/rfc/rfc5712.txt- ../data/rfc/rfc5712.txt- Both the point of preemption and the ingress LER SHOULD provide some ../data/rfc/rfc5712.txt: form of accounting internally and to the network operator interface ../data/rfc/rfc5712.txt- with regard to which TE LSPs and how much capacity is under- ../data/rfc/rfc5712.txt- provisioned due to soft preemption. Displays of under-provisioning ../data/rfc/rfc5712.txt- are recommended for the following midpoint, ingress, and egress ../data/rfc/rfc5712.txt- views: ../data/rfc/rfc5712.txt- -- ../data/rfc/rfc5571.txt- 2. Applicability of L2TPv2 for Softwire Requirements ...............6 ../data/rfc/rfc5571.txt- 2.1. Traditional Network Address Translation (NAT and NAPT) .....6 ../data/rfc/rfc5571.txt- 2.2. Scalability ................................................7 ../data/rfc/rfc5571.txt- 2.3. Routing ....................................................7 ../data/rfc/rfc5571.txt- 2.4. Multicast ..................................................7 ../data/rfc/rfc5571.txt: 2.5. Authentication, Authorization, and Accounting (AAA) ........7 ../data/rfc/rfc5571.txt- 2.6. Privacy, Integrity, and Replay Protection ..................7 ../data/rfc/rfc5571.txt- 2.7. Operations and Management ..................................8 ../data/rfc/rfc5571.txt- 2.8. Encapsulations .............................................8 ../data/rfc/rfc5571.txt- 3. Deployment Scenarios ............................................8 ../data/rfc/rfc5571.txt- 3.1. IPv6-over-IPv4 Softwires with L2TPv2 .......................9 -- ../data/rfc/rfc5571.txt- 3.2.3. Host behind CPE as Softwire Initiator ..............16 ../data/rfc/rfc5571.txt- 3.2.4. Router behind CPE as Softwire Initiator ............16 ../data/rfc/rfc5571.txt- 4. References to Standardization Documents ........................17 ../data/rfc/rfc5571.txt- 4.1. L2TPv2 ....................................................18 ../data/rfc/rfc5571.txt- 4.2. Securing the Softwire Transport ...........................18 ../data/rfc/rfc5571.txt: 4.3. Authentication, Authorization, and Accounting .............18 ../data/rfc/rfc5571.txt- 4.4. MIB .......................................................18 ../data/rfc/rfc5571.txt- 4.5. Softwire Payload Related ..................................19 ../data/rfc/rfc5571.txt- 4.5.1. For IPv6 Payloads ..................................19 ../data/rfc/rfc5571.txt- 4.5.2. For IPv4 Payloads ..................................19 ../data/rfc/rfc5571.txt- 5. Softwire Establishment .........................................20 -- ../data/rfc/rfc5571.txt- 8.1.2. IPv4 Softwires .....................................33 ../data/rfc/rfc5571.txt- 8.2. Delegated Prefixes ........................................34 ../data/rfc/rfc5571.txt- 8.2.1. IPv6 Prefixes ......................................34 ../data/rfc/rfc5571.txt- 8.2.2. IPv4 Prefixes ......................................34 ../data/rfc/rfc5571.txt- 9. Considerations for Maintenance and Statistics ..................34 ../data/rfc/rfc5571.txt: 9.1. RADIUS Accounting .........................................35 ../data/rfc/rfc5571.txt- 9.2. MIBs ......................................................35 ../data/rfc/rfc5571.txt- 10. Security Considerations .......................................35 ../data/rfc/rfc5571.txt- 11. Acknowledgements ..............................................36 ../data/rfc/rfc5571.txt- 12. References ....................................................37 ../data/rfc/rfc5571.txt- 12.1. Normative References .....................................37 -- ../data/rfc/rfc5571.txt-2.4. Multicast ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- Multicast protocols simply run transparently over L2TPv2 Softwires ../data/rfc/rfc5571.txt- together with other regular IP traffic. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt:2.5. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- L2TPv2 supports optional mutual Control Channel authentication and ../data/rfc/rfc5571.txt- leverages the optional mutual PPP per-session authentication. L2TPv2 ../data/rfc/rfc5571.txt- is well integrated with AAA solutions (such as RADIUS) for both ../data/rfc/rfc5571.txt- authentication and authorization. Most L2TPv2 implementations ../data/rfc/rfc5571.txt- available in the market support the logging of authentication and ../data/rfc/rfc5571.txt- authorization events. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt: L2TPv2 integration with RADIUS accounting (RADIUS Accounting ../data/rfc/rfc5571.txt- extension for tunnel [RFC2867]) allows the collection and reporting ../data/rfc/rfc5571.txt- of L2TPv2 Softwire usage statistics. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt-2.6. Privacy, Integrity, and Replay Protection ../data/rfc/rfc5571.txt- -- ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- RFC 3948 "UDP Encapsulation of IPsec ESP Packets" [RFC3948]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- * IPsec supports both IPv4 and IPv6 transports. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt:4.3. Authentication, Authorization, and Accounting ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- RFC 2865 "Remote Authentication Dial In User Service (RADIUS)" ../data/rfc/rfc5571.txt- [RFC2865]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- * Updated by [RFC2868], [RFC3575], and [RFC5080]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt: RFC 2867 "RADIUS Accounting Modifications for Tunnel Protocol ../data/rfc/rfc5571.txt- Support" [RFC2867]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- RFC 2868 "RADIUS Attributes for Tunnel Protocol Support" [RFC2868]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- RFC 3162 "RADIUS and IPv6" [RFC3162]. -- ../data/rfc/rfc5571.txt-Storer, et al. Standards Track [Page 34] ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt-RFC 5571 Softwire H & S Framework with L2TPv2 June 2009 ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt:9.1. RADIUS Accounting ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt: RADIUS Accounting for L2TP and PPP are documented (see Section 4.3). ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- When deploying Softwire solutions, operators may experience ../data/rfc/rfc5571.txt- difficulties to differentiate the address family of the traffic ../data/rfc/rfc5571.txt: reported in accounting information from RADIUS. This problem and ../data/rfc/rfc5571.txt- some potential solutions are described in [SW-ACCT]. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt-9.2. MIBs ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- MIB support for L2TPv2 and PPP are documented (see Section 4.4). -- ../data/rfc/rfc5571.txt-Storer, et al. Standards Track [Page 38] ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt-RFC 5571 Softwire H & S Framework with L2TPv2 June 2009 ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt: [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting ../data/rfc/rfc5571.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc5571.txt- June 2000. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc5571.txt- Holdrege, M., and I. Goyret, "RADIUS Attributes for -- ../data/rfc/rfc5571.txt- [SUBNET-ALL] Johnson, R., Kumarasamy, J., Kinnear, K., and M. Stapp, ../data/rfc/rfc5571.txt- "Subnet Allocation Option", Work in Progress, ../data/rfc/rfc5571.txt- March 2009. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- [SW-ACCT] Stevant, B., Toutain, L., Dupont, F., and D. Binet, ../data/rfc/rfc5571.txt: "Accounting on Softwires", Work in Progress, ../data/rfc/rfc5571.txt- April 2009. ../data/rfc/rfc5571.txt- ../data/rfc/rfc5571.txt- [SW-SEC] Yamamoto, S., Williams, C., Parent, F., and H. Yokota, ../data/rfc/rfc5571.txt- "Softwire Security Analysis and Requirements", Work ../data/rfc/rfc5571.txt- in Progress, May 2009. -- ../data/rfc/rfc5090.txt- authenticate itself to a proxy server. Digest Authentication is used ../data/rfc/rfc5090.txt- in other protocols as well. ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- To simplify the provisioning of users, there is a need to support ../data/rfc/rfc5090.txt- this authentication mechanism within Authentication, Authorization, ../data/rfc/rfc5090.txt: and Accounting (AAA) protocols such as RADIUS [RFC2865] and Diameter ../data/rfc/rfc5090.txt- [RFC3588]. ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- This document defines an extension to the RADIUS protocol to enable ../data/rfc/rfc5090.txt- support of Digest Authentication for use with SIP, HTTP, and other ../data/rfc/rfc5090.txt- HTTP-style protocols using this authentication method. Support for -- ../data/rfc/rfc5090.txt- Description ../data/rfc/rfc5090.txt- This attribute describes a protection space component of the ../data/rfc/rfc5090.txt- RADIUS server. HTTP-style protocols differ in their definition ../data/rfc/rfc5090.txt- of the protection space. See [RFC2617], Section 1.2, for ../data/rfc/rfc5090.txt- details. It MUST only be used in Access-Request, Access- ../data/rfc/rfc5090.txt: Challenge, and Accounting-Request packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 104 for Digest-Realm ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 ../data/rfc/rfc5090.txt- Text -- ../data/rfc/rfc5090.txt-3.6. Digest-Method Attribute ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- Description ../data/rfc/rfc5090.txt- This attribute holds the method value to be used in the HTTP ../data/rfc/rfc5090.txt- Digest calculation. This attribute MUST only be used in ../data/rfc/rfc5090.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 108 for Digest-Method ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 ../data/rfc/rfc5090.txt- Text -- ../data/rfc/rfc5090.txt-3.7. Digest-URI Attribute ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- Description ../data/rfc/rfc5090.txt- This attribute is used to transport the contents of the ../data/rfc/rfc5090.txt- digest-uri directive or the URI of the HTTP-style request. It ../data/rfc/rfc5090.txt: MUST only be used in Access-Request and Accounting-Request ../data/rfc/rfc5090.txt- packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 109 for Digest-URI ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 -- ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- Description ../data/rfc/rfc5090.txt- This attribute holds the Quality of Protection parameter that ../data/rfc/rfc5090.txt- influences the HTTP Digest calculation. This attribute MUST ../data/rfc/rfc5090.txt- only be used in Access-Request, Access-Challenge, and ../data/rfc/rfc5090.txt: Accounting-Request packets. A RADIUS client SHOULD insert one ../data/rfc/rfc5090.txt- of the Digest-Qop attributes it has received in a previous ../data/rfc/rfc5090.txt- Access-Challenge packet. RADIUS servers SHOULD insert at least ../data/rfc/rfc5090.txt- one Digest-Qop Attribute in an Access-Challenge packet. ../data/rfc/rfc5090.txt- Digest-Qop is optional in order to preserve backward ../data/rfc/rfc5090.txt- compatibility with a minimal implementation of [RFC2069]. -- ../data/rfc/rfc5090.txt-3.9. Digest-Algorithm Attribute ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- Description ../data/rfc/rfc5090.txt- This attribute holds the algorithm parameter that influences ../data/rfc/rfc5090.txt- the HTTP Digest calculation. It MUST only be used in Access- ../data/rfc/rfc5090.txt: Request, Access-Challenge and Accounting-Request packets. If ../data/rfc/rfc5090.txt- this attribute is missing, MD5 is assumed. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 111 for Digest-Algorithm ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 -- ../data/rfc/rfc5090.txt-RFC 5090 RADIUS Extension Digest Authentication February 2008 ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- MUST use the User-Name (1) Attribute, and MUST NOT use the ../data/rfc/rfc5090.txt- Digest-Username Attribute. This attribute MUST only be used in ../data/rfc/rfc5090.txt: Access-Request and Accounting-Request packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 115 for Digest-Username ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 ../data/rfc/rfc5090.txt- Text -- ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- the RADIUS implementation MUST repeat this attribute, and each ../data/rfc/rfc5090.txt- instance MUST contain one different unknown Digest ../data/rfc/rfc5090.txt- parameter/value combination. This attribute MUST ONLY be used ../data/rfc/rfc5090.txt- in Access-Request, Access-Challenge, Access-Accept, and ../data/rfc/rfc5090.txt: Accounting-Request packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 117 for Digest-Auth-Param ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- >= 3 ../data/rfc/rfc5090.txt- Text -- ../data/rfc/rfc5090.txt- Challenge packet. The RADIUS client puts them into the quoted, ../data/rfc/rfc5090.txt- space-separated list of URIs of the domain directive of a WWW- ../data/rfc/rfc5090.txt- Authenticate header. Together with Digest-Realm, the URIs in ../data/rfc/rfc5090.txt- the list define the protection space (see [RFC2617], Section ../data/rfc/rfc5090.txt- 3.2.1) for some HTTP-style protocols. This attribute MUST only ../data/rfc/rfc5090.txt: be used in Access-Challenge and Accounting-Request packets. ../data/rfc/rfc5090.txt- Type ../data/rfc/rfc5090.txt- 119 for Digest-Domain ../data/rfc/rfc5090.txt- Length ../data/rfc/rfc5090.txt- 3 ../data/rfc/rfc5090.txt- -- ../data/rfc/rfc5090.txt- editorial changes are not mentioned here. ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- o The Table of Attributes (Section 5) now indicates that the ../data/rfc/rfc5090.txt- Digest-Method Attribute is required within an Access-Request. ../data/rfc/rfc5090.txt- Also, an entry has been added for the State attribute. The table ../data/rfc/rfc5090.txt: also includes entries for Accounting-Request messages. As noted ../data/rfc/rfc5090.txt- in the examples, the User-Name Attribute is not necessary when ../data/rfc/rfc5090.txt- requesting a nonce. ../data/rfc/rfc5090.txt- ../data/rfc/rfc5090.txt- o Two errors in attribute assignment have been corrected within the ../data/rfc/rfc5090.txt- IANA Considerations (Section 7). Digest-Response-Auth is assigned -- ../data/rfc/rfc1299.txt-of changes in service-level reachability in the global TCP/IP Internet. ../data/rfc/rfc1299.txt-This memo provides information for the Internet community. It does not ../data/rfc/rfc1299.txt-specify an Internet standard. ../data/rfc/rfc1299.txt- ../data/rfc/rfc1299.txt- ../data/rfc/rfc1299.txt:1272 Mills Nov 91 Internet Accounting: Background ../data/rfc/rfc1299.txt- ../data/rfc/rfc1299.txt-This document provides background information for the "Internet ../data/rfc/rfc1299.txt:Accounting Architecture". This memo provides information for the ../data/rfc/rfc1299.txt-Internet community. It does not specify an Internet standard. ../data/rfc/rfc1299.txt- ../data/rfc/rfc1299.txt- ../data/rfc/rfc1299.txt-1271 Waldbusser Nov 91 Remote Network Monitoring Management ../data/rfc/rfc1299.txt- Information Base -- ../data/rfc/rfc6065.txt-ISSN: 2070-1721 Elbrys Networks, Inc. ../data/rfc/rfc6065.txt- R. Presuhn, Ed. ../data/rfc/rfc6065.txt- December 2010 ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt: Using Authentication, Authorization, and Accounting Services ../data/rfc/rfc6065.txt- to Dynamically Provision View-Based Access Control Model ../data/rfc/rfc6065.txt- User-to-Group Mappings ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt-Abstract ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt- This memo defines a portion of the Management Information Base (MIB) ../data/rfc/rfc6065.txt- for use with network management protocols. It describes the use of ../data/rfc/rfc6065.txt: information provided by Authentication, Authorization, and Accounting ../data/rfc/rfc6065.txt- (AAA) services, such as the Remote Authentication Dial-In User ../data/rfc/rfc6065.txt- Service (RADIUS), to dynamically update user-to-group mappings in the ../data/rfc/rfc6065.txt- View-based Access Control Model (VACM). ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt-Status of This Memo -- ../data/rfc/rfc6065.txt-1. Introduction ../data/rfc/rfc6065.txt- ../data/rfc/rfc6065.txt- This memo specifies a way to dynamically provision selected View- ../data/rfc/rfc6065.txt- based Access Control Model (VACM) [RFC3415] Management Information ../data/rfc/rfc6065.txt- Base (MIB) objects, based on information received from an ../data/rfc/rfc6065.txt: Authentication, Authorization, and Accounting (AAA) service, such as ../data/rfc/rfc6065.txt- RADIUS [RFC2865] and [RFC5607]. It reduces the need for security ../data/rfc/rfc6065.txt- administrators to manually update VACM configurations due to user ../data/rfc/rfc6065.txt- churn, allowing a centralized AAA service to provide the information ../data/rfc/rfc6065.txt- associating a given user with the access control policy (known as a ../data/rfc/rfc6065.txt- "group" in VACM) governing that user's access to management -- ../data/rfc/rfc3955.txt-RFC 3955 Evaluation of Candidate Protocols for IPFIX October 2004 ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-2.1. CRANE ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: XACCT's Common Reliable Accounting for Network Element Protocol ../data/rfc/rfc3955.txt- Version 1.0 [7][8] is described as a protocol for the transmission of ../data/rfc/rfc3955.txt: accounting information from "Network Elements" to "mediation" and ../data/rfc/rfc3955.txt- "business support systems". ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-2.1.1. CRANE Protocol Operation ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- The exporting side is the CRANE client, the collecting side is the -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Diameter [9][10] is an evolution of the Remote Authentication Dial In ../data/rfc/rfc3955.txt- User Service (RADIUS) protocol [22]. RADIUS is widely used to ../data/rfc/rfc3955.txt- outsource authentication and authorization in dialup access ../data/rfc/rfc3955.txt- environments. Diameter is a generalized and extensible protocol ../data/rfc/rfc3955.txt: intended to support Authentication, Authorization and Accounting ../data/rfc/rfc3955.txt- (AAA) requirements of different applications. Dialup and Mobile IPv4 ../data/rfc/rfc3955.txt- are examples of such applications defined in the IETF. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-2.2.1. Diameter Protocol Operation ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- LFAP [11][12][13] started out as the "Lightweight Flow Admission ../data/rfc/rfc3955.txt- Protocol" and was used to outsource shortcut creation decisions on ../data/rfc/rfc3955.txt- flow-based routers, as well as to provide per-flow statistics. Later ../data/rfc/rfc3955.txt- versions removed the admission function and changed the name to ../data/rfc/rfc3955.txt: "Lightweight Flow Accounting Protocol". ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-Leinen Informational [Page 4] -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-2.3.1. LFAP Protocol Operation ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- The exporter in LFAP is called the Connection Control Entity (CCE), ../data/rfc/rfc3955.txt: and the collector is the Flow Accounting Server (FAS). These ../data/rfc/rfc3955.txt- entities communicate with each other over a TCP connection. LFAP ../data/rfc/rfc3955.txt- knows thirteen message types, including operations for connection ../data/rfc/rfc3955.txt- management, version negotiation, flow information messages and ../data/rfc/rfc3955.txt- administrative requests. Authentication and encryption can be ../data/rfc/rfc3955.txt- provided by IPsec or TLS at lower layers. Additionally, the LFAP -- ../data/rfc/rfc3955.txt- authentication and DES-CBC encryption. Note that DES is now widely ../data/rfc/rfc3955.txt- regarded as not adequately secure, because its small key size makes ../data/rfc/rfc3955.txt- brute-force attacks viable. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- A distinguishing feature is that LFAP has two different message types ../data/rfc/rfc3955.txt: for flow information: A Flow Accounting Request (FAR) message is sent ../data/rfc/rfc3955.txt- when a new flow is identified at the CCE (meter/exporter). ../data/rfc/rfc3955.txt: Accounting information is sent later in one or multiple Flow Update ../data/rfc/rfc3955.txt- Notification (FUN) messages. A collector must match each FUN to a ../data/rfc/rfc3955.txt- Flow ID previously sent in a FAR. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- The LFAP document also defines a set of useful statistics about the ../data/rfc/rfc3955.txt: accounting process. A separate MIB document [14] is provided for ../data/rfc/rfc3955.txt- management of LFAP entities using SNMP. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-2.3.2. LFAP Data Encoding ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- LFAP encodes data in a Type/Length/Value format with four bytes of -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-3.1.1. High-Performance Flow Metering (NetFlow, LFAP) ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Of the candidate protocols, Cisco's NetFlow is the purest example of ../data/rfc/rfc3955.txt- a highly specialized protocol that has been designed with the sole ../data/rfc/rfc3955.txt: objective of conveying accounting data from flow-aware routers at ../data/rfc/rfc3955.txt: high rates. Starting from a fixed set of accounting fields, it has ../data/rfc/rfc3955.txt- been extended a few times over the years to support additional fields ../data/rfc/rfc3955.txt- and various types of aggregation in the metering/exporting process. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Riverstone's LFAP is similarly focused, except that it originated in ../data/rfc/rfc3955.txt- a protocol to outsource the decision whether to create shortcuts in ../data/rfc/rfc3955.txt- flow-based routers. This is still manifest in an increased emphasis ../data/rfc/rfc3955.txt- on reliable operation, and in the split reporting of flow information ../data/rfc/rfc3955.txt: using Flow Accounting Request (FAR) and Flow Update Notification ../data/rfc/rfc3955.txt- (FUN) messages. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- It has been pointed out that split reporting as done by LFAP can ../data/rfc/rfc3955.txt- reduce memory requirements at the exporter. This concerns a subset ../data/rfc/rfc3955.txt- of attributes that are neither "key" attributes which define flows, -- ../data/rfc/rfc3955.txt- short-lived flows, the number of flow export messages will be ../data/rfc/rfc3955.txt- significantly higher than with "unitary" flow export models, and the ../data/rfc/rfc3955.txt- collector will have to keep state about active flows until they are ../data/rfc/rfc3955.txt- terminated. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt:3.1.2. Carrier-Grade Multi-Purpose Accounting (IPDR, CRANE) ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Streaming IPDR and CRANE describe themselves as protocols to ../data/rfc/rfc3955.txt: facilitate the reliable transfer of accounting information between ../data/rfc/rfc3955.txt- Network Elements (or more generally "Service Elements" in the case of ../data/rfc/rfc3955.txt- IPDR) and Mediation Systems or Business Support Systems (BSS). They ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc3955.txt-Leinen Informational [Page 7] ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-RFC 3955 Evaluation of Candidate Protocols for IPFIX October 2004 ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: reflect a view of the accounting problem and of network system ../data/rfc/rfc3955.txt- architectures that originates in traditional "vertically integrated" ../data/rfc/rfc3955.txt- telecommunications. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Both protocols also emphasize extensibility with the goal of ../data/rfc/rfc3955.txt: applicability to a wide range of accounting tasks. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- IPDR is based on NDM-U, which uses the XML-Schema language for ../data/rfc/rfc3955.txt: machine-readable specification of accounting data structures, while ../data/rfc/rfc3955.txt- using the efficient XDR encoding for the actual data transfer. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- CRANE uses templates to describe exported data. These templates are ../data/rfc/rfc3955.txt- negotiated between collector and exporter and can change during a ../data/rfc/rfc3955.txt- session. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-3.1.3. General-Purpose AAA (Diameter) ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Diameter is another example of a broader-purpose protocol, in that it ../data/rfc/rfc3955.txt- covers aspects of authentication and authorization as well as ../data/rfc/rfc3955.txt: accounting. This explains its strong emphasis on security and ../data/rfc/rfc3955.txt- reliability. The design also takes into account various types of ../data/rfc/rfc3955.txt- intermediate agents. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-3.2. Data Representation ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Diameter has a general capabilities negotiation mechanism. The use ../data/rfc/rfc3955.txt- of Diameter for IPFIX hasn't been described in sufficient detail to ../data/rfc/rfc3955.txt- determine how capabilities negotiation would be used. After ../data/rfc/rfc3955.txt- negotiation, the protocol would operate in essentially unidirectional ../data/rfc/rfc3955.txt: mode, with Accounting-Request (ACR) messages flowing from the ../data/rfc/rfc3955.txt: exporter to the collector, and Accounting-Answer (ACA) messages ../data/rfc/rfc3955.txt- flowing back. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-4. Item-Level Compliance Evaluation ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- The template for protocol advocates noted that not all requirements -- ../data/rfc/rfc3955.txt- protocol that supports this. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-4.2. Sampling (5.2) ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- CRANE and IPDR don't mention the possibility of sampling. This is ../data/rfc/rfc3955.txt: natural because they are targeted towards telco-grade accounting, ../data/rfc/rfc3955.txt- where sampling would be considered inadmissible. Since support for ../data/rfc/rfc3955.txt- sampling is a "MAY" requirement, its lack could be tolerated, but ../data/rfc/rfc3955.txt- severely restricts the applicability of these protocols in places of ../data/rfc/rfc3955.txt- high aggregation, where absolute precision is not necessary. This ../data/rfc/rfc3955.txt- includes applications such as traffic profiling, traffic engineering, ../data/rfc/rfc3955.txt- and large-scale attack/intrusion detection, but also usage-based ../data/rfc/rfc3955.txt: accounting applications where charging based on sampling is agreed ../data/rfc/rfc3955.txt- upon. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- The Diameter advocate acknowledges the existence of sampling and ../data/rfc/rfc3955.txt- suggests to define new (grouped) AVPs to carry information about the ../data/rfc/rfc3955.txt- sampling parameters in use. -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Each candidate protocol defines a data model that allows for some ../data/rfc/rfc3955.txt- degree of extensibility. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- CRANE uses Keys to specify fields in templates. A key "specification ../data/rfc/rfc3955.txt: MUST consist of the description and the data type of the accounting ../data/rfc/rfc3955.txt- item." Apparently extensibility is intended, but it is not clear ../data/rfc/rfc3955.txt- whether adding a new Key really only involves writing a textual ../data/rfc/rfc3955.txt- description and deciding upon a base type. Every Key also has a 32- ../data/rfc/rfc3955.txt- bit Key ID, but from the current specification they don't seem to ../data/rfc/rfc3955.txt- carry global semantics. -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-RFC 3955 Evaluation of Candidate Protocols for IPFIX October 2004 ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- CRANE, Diameter, and IPDR, as protocols that strive to be carrier- ../data/rfc/rfc3955.txt: grade accounting protocols, understandably exhibit a strong emphasis ../data/rfc/rfc3955.txt- on near-total reliability of the flow export process. All three ../data/rfc/rfc3955.txt- protocols use application-level acknowledgements (in case of IPDR, ../data/rfc/rfc3955.txt- optionally) to include the entire collection process in the feedback ../data/rfc/rfc3955.txt- loop. Indications of "lack of reliability" (lost flow data) are ../data/rfc/rfc3955.txt- somewhat unnatural to these protocols, because they take every effort -- ../data/rfc/rfc3955.txt- where one would rather drop a packet than forward it unaccounted for. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- LFAP has application-level acknowledgements, and it also reports ../data/rfc/rfc3955.txt- detailed statistics about lost flows and the amount of data that ../data/rfc/rfc3955.txt- couldn't be accounted for. It represents a middle ground in that it ../data/rfc/rfc3955.txt: acknowledges that accounting reliability will sometimes be sacrificed ../data/rfc/rfc3955.txt- for the benefit of other tasks, such as switching packets, and ../data/rfc/rfc3955.txt- provides the tools to gracefully deal with such situations. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- NetFlow v9 is the only protocol for which the use of a "reliable" ../data/rfc/rfc3955.txt- transport protocol is optional, and the only protocol that doesn't -- ../data/rfc/rfc3955.txt- Status Requests can only be issued by the server (collector), so they ../data/rfc/rfc3955.txt- cannot be used by the server to signal asynchronous events. As in ../data/rfc/rfc3955.txt- IPDR, this could be circumvented by defining templates for meta- ../data/rfc/rfc3955.txt- information. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: Diameter could use special Accounting-Request messages for event ../data/rfc/rfc3955.txt- notification. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- IPDR would presumably define pseudo-"Usage Events" using an XML ../data/rfc/rfc3955.txt- Schema so that events can be reported along with usage data. ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-5. Conclusions ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- Every candidate protocol has its strengths and weaknesses. If the ../data/rfc/rfc3955.txt- primary goal of the IPFIX standardization effort were to define a ../data/rfc/rfc3955.txt: carrier-grade accounting protocol that can also be used to carry IP ../data/rfc/rfc3955.txt- flow information, then one of CRANE, Diameter and Streaming IPDR ../data/rfc/rfc3955.txt- would probably be the candidate of choice. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- But since the goal is to standardize existing practice in the area of ../data/rfc/rfc3955.txt- IP Flow Information Export, it makes sense to analyze why previous -- ../data/rfc/rfc3955.txt- [6] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", ../data/rfc/rfc3955.txt- RFC 2409, November 1998. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-8.2. Informative References ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: [7] Zhang, K. and E. Elkin, "XACCT's Common Reliable Accounting for ../data/rfc/rfc3955.txt- Network Element (CRANE) Protocol Specification Version 1.0", ../data/rfc/rfc3955.txt- RFC 3423, November 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- [8] Zhang, K., "Evaluation of the CRANE Protocol Against IPFIX ../data/rfc/rfc3955.txt- Requirements", Work in Progress, September 2002. -- ../data/rfc/rfc3955.txt- "Diameter Base Protocol", RFC 3588, September 2003. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- [10] Zander, S., "Evaluation of Diameter Protocol against IPFIX ../data/rfc/rfc3955.txt- Requirements", Work in Progress, September 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: [11] Calato, P. and M. MacFaden, "Light-weight Flow Accounting ../data/rfc/rfc3955.txt- Protocol Specification Version 5.0", July 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc3955.txt-Leinen Informational [Page 20] ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt-RFC 3955 Evaluation of Candidate Protocols for IPFIX October 2004 ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: [12] Calato, P. and M. MacFaden, "Light-weight Flow Accounting ../data/rfc/rfc3955.txt- Protocol Data Definition Specification Version 5.0", July 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- [13] Calato, P., "Evaluation Of Protocol LFAP Against IPFIX ../data/rfc/rfc3955.txt- Requirements", Work in Progress, September 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt: [14] Calato, P. and M. MacFaden, "Light-weight Flow Accounting ../data/rfc/rfc3955.txt- Protocol MIB", Work in Progress, September 2002. ../data/rfc/rfc3955.txt- ../data/rfc/rfc3955.txt- [15] Claise, B., "Evaluation Of NetFlow Version 9 Against IPFIX ../data/rfc/rfc3955.txt- Requirements", Work in Progress, September 2002. ../data/rfc/rfc3955.txt- -- ../data/rfc/rfc8406.txt- ../data/rfc/rfc8406.txt- Adaptive Linear Coding: ../data/rfc/rfc8406.txt- Linear Coding that utilizes cross-layer adaptation. For instance, ../data/rfc/rfc8406.txt- an adaptive coding scheme may adapt the generation and ../data/rfc/rfc8406.txt- transmission of Repair Packets according to the channel variations ../data/rfc/rfc8406.txt: over time, accounting for the predictive loss of degrees of ../data/rfc/rfc8406.txt- freedom due to erasures. ../data/rfc/rfc8406.txt- ../data/rfc/rfc8406.txt- ../data/rfc/rfc8406.txt- ../data/rfc/rfc8406.txt- -- ../data/rfc/rfc4124.txt- to have different overbooking ratios and simultaneously allows ../data/rfc/rfc4124.txt- overbooking to be tweaked differently (collectively across all CTs) ../data/rfc/rfc4124.txt- on different links. But, in a general sense, it does not allow the ../data/rfc/rfc4124.txt- effective overbooking ratio of every CT to be tweaked differently in ../data/rfc/rfc4124.txt- different parts of the network independently of other CTs, while ../data/rfc/rfc4124.txt: maintaining accurate bandwidth accounting of how different CTs ../data/rfc/rfc4124.txt- mutually affect each other through shared BCs (such as the Maximum ../data/rfc/rfc4124.txt- Reservable Bandwidth). ../data/rfc/rfc4124.txt- ../data/rfc/rfc4124.txt-B.2. Flexibility ../data/rfc/rfc4124.txt- -- ../data/rfc/rfc3693.txt- ../data/rfc/rfc3693.txt- SCENARIO 2: Cell Phone Roaming ../data/rfc/rfc3693.txt- ../data/rfc/rfc3693.txt- In this example, a cell phone is used outside its home service area ../data/rfc/rfc3693.txt- (roaming). Also, the cell phone service provider (cell phone Corp 2) ../data/rfc/rfc3693.txt: outsourced the accounting of cell phone usage. The cell phone is not ../data/rfc/rfc3693.txt- GPS-enabled. Location is derived by the cell phone network in which ../data/rfc/rfc3693.txt- the Target and Device are roaming. When the Target wishes to use the ../data/rfc/rfc3693.txt- cell phone, cell phone Corp 1 (AP) provides the roaming service for ../data/rfc/rfc3693.txt- the Target, which sends the raw data about usage (e.g., duration of ../data/rfc/rfc3693.txt- call, location in the roaming network, etc.) to cell phone Corp 2, ../data/rfc/rfc3693.txt- the home service provider. Cell phone Corp 2 submits the raw data to ../data/rfc/rfc3693.txt: the accounting company, which processes the raw data for the ../data/rfc/rfc3693.txt: accounting statements. Finally, the raw data is sent to a data ../data/rfc/rfc3693.txt- warehouse where the raw data is stored in a Location Server (e.g., ../data/rfc/rfc3693.txt- computer server). ../data/rfc/rfc3693.txt- ../data/rfc/rfc3693.txt- Cell Phone Corp 1 Cell Phone Corp 2 ../data/rfc/rfc3693.txt- ----------------- ----------------- -- ../data/rfc/rfc7922.txt- and defines an information model for recording interactions between ../data/rfc/rfc7922.txt- elements implementing the I2RS protocol. This framework provides a ../data/rfc/rfc7922.txt- consistent tracing interface for components implementing the I2RS ../data/rfc/rfc7922.txt- architecture to record what was done, by which component, and when. ../data/rfc/rfc7922.txt- It aims to improve the management of I2RS implementations, and can be ../data/rfc/rfc7922.txt: used for troubleshooting, auditing, forensics, and accounting ../data/rfc/rfc7922.txt- purposes. ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt-Status of This Memo ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt- This document is not an Internet Standards Track specification; it is -- ../data/rfc/rfc7922.txt- from the retained trace logs; ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt- o enhanced network audit, management, and forensic analysis ../data/rfc/rfc7922.txt- capabilities; ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt: o improved accounting of routing system operations; and ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt- o providing a standardized format for incident reporting and test ../data/rfc/rfc7922.txt- logging. ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt-5. Information Model -- ../data/rfc/rfc7922.txt- implements trace log rotation. The details on how this is achieved ../data/rfc/rfc7922.txt- are left to the implementation and are outside the scope of this ../data/rfc/rfc7922.txt- document. However, it should be possible to do a file rotation based ../data/rfc/rfc7922.txt- on either the time or size of the current trace log. If file ../data/rfc/rfc7922.txt- rollover is supported, multiple archived log files should be ../data/rfc/rfc7922.txt: supported in order to maximize the troubleshooting and accounting ../data/rfc/rfc7922.txt- benefits of the trace log. ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt-7.4. Trace Log Retrieval ../data/rfc/rfc7922.txt- ../data/rfc/rfc7922.txt- Implementors are free to provide their own, proprietary interfaces -- ../data/rfc/rfc4925.txt- 2.7. Softwire Concentrator Discovery . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt- 2.8. Scaling . . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt- 2.9. Routing . . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt- 2.10. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt- 2.11. Security . . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt: 2.11.1. Authentication, Authorization, and Accounting ../data/rfc/rfc4925.txt- (AAA) . . . . . . . . . . . . . . . . . . . . . . . . 12 ../data/rfc/rfc4925.txt- 2.11.2. Privacy, Integrity, and Replay Protection . . . . . . 13 ../data/rfc/rfc4925.txt- 2.12. Operations and Management (OAM) . . . . . . . . . . . . . 13 ../data/rfc/rfc4925.txt- 2.13. Encapsulations . . . . . . . . . . . . . . . . . . . . . . 13 ../data/rfc/rfc4925.txt- 3. Mesh Problem . . . . . . . . . . . . . . . . . . . . . . . . . 14 -- ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- Softwires must support multicast. ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt-2.11. Security ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt:2.11.1. Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- The softwire protocol must support customer authentication in the ../data/rfc/rfc4925.txt- control plane, in order to authorize access to the service, and ../data/rfc/rfc4925.txt: provide adequate logging of activity (accounting). However, a ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt-Li, et al. Informational [Page 12] ../data/rfc/rfc4925.txt- -- ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- Other needed OAM features include: ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- - Logging ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt: - Usage accounting ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- - End-point failure detection (the detection mechanism must operate ../data/rfc/rfc4925.txt- within the tunnel) ../data/rfc/rfc4925.txt- ../data/rfc/rfc4925.txt- - Path failure detection (the detection mechanism must operate -- ../data/rfc/rfc7069.txt- them. While specific system components might differ between ../data/rfc/rfc7069.txt- implementations, this document details the major components and their ../data/rfc/rfc7069.txt- overall roles in the architecture. To keep the scope narrow, we only ../data/rfc/rfc7069.txt- discuss the primary components related to protocol development. ../data/rfc/rfc7069.txt- Particular deployments will require additional components (e.g., ../data/rfc/rfc7069.txt: monitoring and accounting at a server), but they are intentionally ../data/rfc/rfc7069.txt- omitted from this document. ../data/rfc/rfc7069.txt- ../data/rfc/rfc7069.txt- ../data/rfc/rfc7069.txt- ../data/rfc/rfc7069.txt- -- ../data/rfc/rfc7069.txt- ../data/rfc/rfc7069.txt- For the list of servers/clients to which data objects have been ../data/rfc/rfc7069.txt- distributed to, the server SHOULD be able to decide on time bounds ../data/rfc/rfc7069.txt- for which this information is stored and specify the corresponding ../data/rfc/rfc7069.txt- time frame in the response to such requests. Some of this ../data/rfc/rfc7069.txt: information may be used for accounting purposes, e.g., the list of ../data/rfc/rfc7069.txt- clients to which data objects have been distributed. ../data/rfc/rfc7069.txt- ../data/rfc/rfc7069.txt: Access information MAY be provided for accounting purposes, for ../data/rfc/rfc7069.txt- example, when uploading DECADE clients are interested in access ../data/rfc/rfc7069.txt: statistics for resources and/or to perform accounting per user. ../data/rfc/rfc7069.txt- Again, access to such information requires client authorization and ../data/rfc/rfc7069.txt- SHOULD be based on the delegation concept as described in ../data/rfc/rfc7069.txt- Section 4.5. The following type of access information elements MAY ../data/rfc/rfc7069.txt- be requested: a) what data objects have been accessed by whom and how ../data/rfc/rfc7069.txt- many times; and b) access tokens that a server has seen for a given -- ../data/rfc/rfc8299.txt- described in Section 1.4.1. Thus, noting the rules set out in ../data/rfc/rfc8299.txt- [RFC7950], it was decided to retain the module name in this document. ../data/rfc/rfc8299.txt- ../data/rfc/rfc8299.txt-2. Acronyms ../data/rfc/rfc8299.txt- ../data/rfc/rfc8299.txt: AAA: Authentication, Authorization, and Accounting. ../data/rfc/rfc8299.txt- ../data/rfc/rfc8299.txt- ACL: Access Control List. ../data/rfc/rfc8299.txt- ../data/rfc/rfc8299.txt- ADSL: Asymmetric DSL. ../data/rfc/rfc8299.txt- -- ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt-2.2. Terms ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- This section specifies terms used in this document. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt: AAA: Authentication Authorization Accounting. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- ACK: Acknowledgement message. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- BAS: Broadband Access Server, also known as a BBRAS, BNG, or ../data/rfc/rfc8772.txt- BRAS. -- ../data/rfc/rfc8772.txt- The rapid development of new services, such as 4K TV, Internet of ../data/rfc/rfc8772.txt- Things (IoT), etc., and increasing numbers of home broadband service ../data/rfc/rfc8772.txt- users present some new challenges for BNGs such as: ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- Low resource utilization: The traditional BNG acts as both a gateway ../data/rfc/rfc8772.txt: for user access authentication and accounting and also an IP ../data/rfc/rfc8772.txt- network's Layer 3 edge. The mutually affecting nature of the ../data/rfc/rfc8772.txt- tightly coupled control plane and forwarding plane makes it ../data/rfc/rfc8772.txt- difficult to achieve the maximum performance of either plane. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- Complex management and maintenance: Due to the large numbers of -- ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- * Address management: Unified address pool management and CGN ../data/rfc/rfc8772.txt- subscriber address traceability management. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- * AAA: This component performs Authentication, Authorization, and ../data/rfc/rfc8772.txt: Accounting, together with RADIUS/Diameter. The BNG communicates ../data/rfc/rfc8772.txt- with the AAA server to check whether the subscriber who sent an ../data/rfc/rfc8772.txt- access request has network access authority. Once the subscriber ../data/rfc/rfc8772.txt- goes online, this component (together with the Service Control ../data/rfc/rfc8772.txt: component) implements accounting, data capacity limitation, and ../data/rfc/rfc8772.txt- QoS enforcement policies. ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- * Subscriber management: User entry management and forwarding policy ../data/rfc/rfc8772.txt- management. ../data/rfc/rfc8772.txt- -- ../data/rfc/rfc8772.txt- | 4|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 5|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 6|<------------->| ../data/rfc/rfc8772.txt- | | Send Online Response | | ../data/rfc/rfc8772.txt- | 7|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- |Online Response| | | -- ../data/rfc/rfc8772.txt- will be allocated to the subscriber. Policies and security rules ../data/rfc/rfc8772.txt- will be generated for the subscriber. Then the CP sends a request to ../data/rfc/rfc8772.txt- create a session to the UP through the Ci (step 4), and a response is ../data/rfc/rfc8772.txt- expected from the UP to confirm the creation (step 5). ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt: Finally, the CP will notify the AAA server to start accounting (step ../data/rfc/rfc8772.txt- 6). At the same time, an Online Response message (for example, a ../data/rfc/rfc8772.txt- DHCP Ack packet) will be sent to the UP through the Si (step 7). The ../data/rfc/rfc8772.txt- UP will then forward the Online Response to the RG (step 8). ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- That completes the subscriber activation process. -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 8|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 9|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | | Send DHCP ACK | | ../data/rfc/rfc8772.txt- | 11|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | DHCP ACK | | | -- ../data/rfc/rfc8772.txt- | 8|<--------via Ci-------->| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 9|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | | Send Reply | | ../data/rfc/rfc8772.txt- | 11|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | Reply | | | ../data/rfc/rfc8772.txt- 12|<--------------| | | -- ../data/rfc/rfc8772.txt- | NS | | | ../data/rfc/rfc8772.txt- 8|-------------->| | | ../data/rfc/rfc8772.txt- | | Relay the Neighbor | | ../data/rfc/rfc8772.txt- | | Solicit (NS) | | ../data/rfc/rfc8772.txt- | 9|-----to CP via Si------>| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | | Send a Neighbor | | ../data/rfc/rfc8772.txt- | | Advertise (NA) | | ../data/rfc/rfc8772.txt- | 11|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | NA | | | -- ../data/rfc/rfc8772.txt- | 10|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | | Update Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 11|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 12|<------------->| ../data/rfc/rfc8772.txt- | | Send DHCPv6 Reply | | ../data/rfc/rfc8772.txt- | 13|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | DHCPv6 Reply | | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 8|<--------via Ci-------->| | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 9|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | | Send DHCP ACK | | ../data/rfc/rfc8772.txt- | 11|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | DHCP ACK | | | ../data/rfc/rfc8772.txt- 12|<--------------| | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 22|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Update Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 23|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 24|<------------->| ../data/rfc/rfc8772.txt- | | Send DHCPv6 Reply | | ../data/rfc/rfc8772.txt- | 25|<----to UP via Si-------| | ../data/rfc/rfc8772.txt- | DHCPv6 Reply | | | ../data/rfc/rfc8772.txt- 26|<--------------| | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 5|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 6|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 7|<------------->| ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- Figure 20: IPv4 PPPoE Access ../data/rfc/rfc8772.txt- -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 8|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Update Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 9|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | DHCPv6 | DHCPv6 | | ../data/rfc/rfc8772.txt- | Negotiation | Negotiation | | ../data/rfc/rfc8772.txt- 7'|<------------->|<---------via Si------->| | ../data/rfc/rfc8772.txt- | | | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 8'|<---------via Ci--------| | ../data/rfc/rfc8772.txt- | | Update Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 9'|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 10'|<------------->| ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- Figure 21: IPv6 PPPoE Access ../data/rfc/rfc8772.txt- -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 5|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Create v4 Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 6|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 7|<------------->| ../data/rfc/rfc8772.txt- | PPP IP6CP | PPP IP6CP | | ../data/rfc/rfc8772.txt- 4'|<------------->|<---------via Si------->| | ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | | Create V6 Subscriber | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 9|<---------via Ci--------| | ../data/rfc/rfc8772.txt- | | Update v6 Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 10|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 7'|<------------->| ../data/rfc/rfc8772.txt- | DHCPv6 | DHCPv6 | | ../data/rfc/rfc8772.txt- | Negotiation | Negotiation | | ../data/rfc/rfc8772.txt- 8'|<------------->|<---------via Si------->| | ../data/rfc/rfc8772.txt- | | | | -- ../data/rfc/rfc8772.txt- | | Session Request | | ../data/rfc/rfc8772.txt- | 9'|<--------via Ci---------| | ../data/rfc/rfc8772.txt- | | Update v6 Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | 10'|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | 7"|<------------->| ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- ../data/rfc/rfc8772.txt- Figure 22: PPPoE Dual-Stack Access ../data/rfc/rfc8772.txt- -- ../data/rfc/rfc8772.txt- | | | | ../data/rfc/rfc8772.txt- | | Create Subscriber | | ../data/rfc/rfc8772.txt- | | Session Response | | ../data/rfc/rfc8772.txt- | | (with NAT information) | | ../data/rfc/rfc8772.txt- | 9|---------via Ci-------->| | ../data/rfc/rfc8772.txt: | | | Accounting | ../data/rfc/rfc8772.txt- | | | with source | ../data/rfc/rfc8772.txt- | | | information | ../data/rfc/rfc8772.txt- | | 10|<------------->| ../data/rfc/rfc8772.txt- | | | Public IP + | ../data/rfc/rfc8772.txt- | | | Port Range | -- ../data/rfc/rfc8772.txt- might be across the general Internet or other hostile environment. ../data/rfc/rfc8772.txt- The ability of an adversary to block or corrupt messages or introduce ../data/rfc/rfc8772.txt- spurious messages on any one or more of these interfaces would give ../data/rfc/rfc8772.txt- the adversary the ability to stop subscribers from accessing network ../data/rfc/rfc8772.txt- services, disrupt existing subscriber sessions, divert traffic, mess ../data/rfc/rfc8772.txt: up accounting statistics, and generally cause havoc. Damage would ../data/rfc/rfc8772.txt- not necessarily be limited to one or a few subscribers but could ../data/rfc/rfc8772.txt- disrupt routing or deny service to one or more instances of the CP or ../data/rfc/rfc8772.txt- otherwise cause extensive interference. If the adversary knows the ../data/rfc/rfc8772.txt- details of the UP equipment and its forwarding rule capabilities, the ../data/rfc/rfc8772.txt- adversary may be able to cause a copy of most or all user data to be -- ../data/rfc/rfc7211.txt- ../data/rfc/rfc7211.txt- In general, security configuration can be treated as an additional ../data/rfc/rfc7211.txt- configuration item that needs to be set up to establish service. ../data/rfc/rfc7211.txt- There is no significant security value in protecting routing protocol ../data/rfc/rfc7211.txt- keys more than administrative password or Authentication, ../data/rfc/rfc7211.txt: Authorization, and Accounting (AAA) secrets that can be used to gain ../data/rfc/rfc7211.txt- login access to a router. These existing secrets can be used to make ../data/rfc/rfc7211.txt- configuration changes that impact routing protocols as much as ../data/rfc/rfc7211.txt- disclosure of a routing protocol key. Operators already have ../data/rfc/rfc7211.txt- procedures in place for these items. So, it is appropriate to use ../data/rfc/rfc7211.txt- similar procedures for routing protocol keys. It is reasonable to -- ../data/rfc/rfc2567.txt-10.21. END TO END SCENARIO - WITHIN AN ENTERPRISE ../data/rfc/rfc2567.txt- ../data/rfc/rfc2567.txt- An office worker prints on shared departmental printers. All printers ../data/rfc/rfc2567.txt- in the office are public, that is, no authentication or authorization ../data/rfc/rfc2567.txt- is required. Printers are protected from external access by a ../data/rfc/rfc2567.txt: firewall. No billing or accounting is required. Most printing is done ../data/rfc/rfc2567.txt- from desktop applications. A help desk is provided for printing ../data/rfc/rfc2567.txt- problems. Standard operating systems and applications are used. ../data/rfc/rfc2567.txt- Drivers are available, but are installed manually by support ../data/rfc/rfc2567.txt- personnel. This scenario assumes that drivers have been installed and ../data/rfc/rfc2567.txt- that drivers are not IPP aware, that is, they cannot communicate -- ../data/rfc/rfc491.txt- ../data/rfc/rfc491.txt- Now, because of the implementation implications this may all sound ../data/rfc/rfc491.txt- like special pleading, but I claim that another implication of the ../data/rfc/rfc491.txt- "incorrect" formulation will further show the superiority of an ../data/rfc/rfc491.txt- explicit login for mail. For the "loginless" view leads to problems ../data/rfc/rfc491.txt: in regard to the authentication aspects of login and the accounting ../data/rfc/rfc491.txt- aspects, by apparently assuming that the sole purpose of login is to ../data/rfc/rfc491.txt: initiate accounting. In RFC 475, the problem is exposed when, after ../data/rfc/rfc491.txt- noting that some systems allow access control to be applied to ../data/rfc/rfc491.txt- mailboxes, it is asserted that FTP USER command is wrong for access ../data/rfc/rfc491.txt- control because you'd then be on the free account and a new FTP FROM ../data/rfc/rfc491.txt- ../data/rfc/rfc491.txt- -- ../data/rfc/rfc491.txt- list" of the mailbox, and when the mailbox is referenced by a process ../data/rfc/rfc491.txt- the principal identifier of that process must match (explicitly or as ../data/rfc/rfc491.txt- a member of a class) an entry on the list or access will be ../data/rfc/rfc491.txt- forbidden. But the principal identifier is associated with the ../data/rfc/rfc491.txt- process at login. Now, it is probably a valid objection to say that ../data/rfc/rfc491.txt: accounting should be separated from authentification, but it isn't ../data/rfc/rfc491.txt- always. So why invent a redundant mechanism based on the assumption ../data/rfc/rfc491.txt- that it is? ../data/rfc/rfc491.txt- ../data/rfc/rfc491.txt- Another point on authentication via login: it has been argued that ../data/rfc/rfc491.txt- FTP mail ought to be so cheap that it "can be buried in overhead" by -- ../data/rfc/rfc7269.txt- ../data/rfc/rfc7269.txt-5. Source-Address Transparency ../data/rfc/rfc7269.txt- ../data/rfc/rfc7269.txt-5.1. Traceability ../data/rfc/rfc7269.txt- ../data/rfc/rfc7269.txt: Traceability is required in many cases, such as meeting accounting ../data/rfc/rfc7269.txt- requirements and identifying the sources of malicious attacks. ../data/rfc/rfc7269.txt- Operators are asked to record the NAT64 log information for specific ../data/rfc/rfc7269.txt- periods of time. In our lab testing, the log information from ../data/rfc/rfc7269.txt- 200,000 subscribers was collected from a stateful NAT64 gateway for ../data/rfc/rfc7269.txt- 60 days. Syslog [RFC5424] has been adopted to transmit log messages -- ../data/rfc/rfc8158.txt- ../data/rfc/rfc8158.txt- Network operators require NAT devices to log events like creation and ../data/rfc/rfc8158.txt- deletion of translations and information about the resources that the ../data/rfc/rfc8158.txt- NAT device is managing. In many cases, the logs are essential to ../data/rfc/rfc8158.txt- identify an attacker or a host that was used to launch malicious ../data/rfc/rfc8158.txt: attacks and for various other purposes of accounting. Since there is ../data/rfc/rfc8158.txt- no standard way of logging this information, different NAT devices ../data/rfc/rfc8158.txt- use proprietary formats; hence, it is difficult to expect consistent ../data/rfc/rfc8158.txt- behavior. This lack of standardization makes it difficult to write ../data/rfc/rfc8158.txt- the Collector applications that would receive this data and process ../data/rfc/rfc8158.txt- it to present useful information. This document describes the -- ../data/rfc/rfc8158.txt- A Collector may have scale issues if it is overloaded by a large ../data/rfc/rfc8158.txt- number of simultaneous events. An appropriate throttling mechanism ../data/rfc/rfc8158.txt- may be used to handle the oversubscription. ../data/rfc/rfc8158.txt- ../data/rfc/rfc8158.txt- The logs that are exported can be used for a variety of reasons. An ../data/rfc/rfc8158.txt: example use case is to do accounting based on when the users logged ../data/rfc/rfc8158.txt- on and off. The translation will be installed when the user logs on ../data/rfc/rfc8158.txt- and removed when the user logs off. These events create log records. ../data/rfc/rfc8158.txt- Another use case is to identify an attacker or a host in a provider ../data/rfc/rfc8158.txt- network. The network administrators can use these logs to identify ../data/rfc/rfc8158.txt- the usage patterns, the need for additional IP addresses, and etc. -- ../data/rfc/rfc2869.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-Abstract ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- This document describes additional attributes for carrying ../data/rfc/rfc2869.txt: authentication, authorization and accounting information between a ../data/rfc/rfc2869.txt: Network Access Server (NAS) and a shared Accounting Server using the ../data/rfc/rfc2869.txt- Remote Authentication Dial In User Service (RADIUS) protocol ../data/rfc/rfc2869.txt- described in RFC 2865 [1] and RFC 2866 [2]. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-Table of Contents ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- 1. Introduction .......................................... 2 ../data/rfc/rfc2869.txt- 1.1 Specification of Requirements ................... 3 ../data/rfc/rfc2869.txt- 1.2 Terminology ..................................... 3 ../data/rfc/rfc2869.txt- 2. Operation ............................................. 4 ../data/rfc/rfc2869.txt: 2.1 RADIUS support for Interim Accounting Updates.... 4 ../data/rfc/rfc2869.txt- 2.2 RADIUS support for Apple Remote Access ../data/rfc/rfc2869.txt- Protocol ........................................ 5 ../data/rfc/rfc2869.txt- 2.3 RADIUS Support for Extensible Authentication ../data/rfc/rfc2869.txt- Protocol (EAP) .................................. 11 ../data/rfc/rfc2869.txt- 2.3.1 Protocol Overview ............................... 11 -- ../data/rfc/rfc2869.txt- 12. Full Copyright Statement .............................. 47 ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-1. Introduction ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- RFC 2865 [1] describes the RADIUS Protocol as it is implemented and ../data/rfc/rfc2869.txt: deployed today, and RFC 2866 [2] describes how Accounting can be ../data/rfc/rfc2869.txt- performed with RADIUS. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt-RFC 2869 RADIUS Extensions June 2000 ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- is ended. A user may have multiple sessions in parallel or ../data/rfc/rfc2869.txt- series if the NAS supports that, with each session ../data/rfc/rfc2869.txt: generating a separate start and stop accounting record. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- silently discard ../data/rfc/rfc2869.txt- This means the implementation discards the packet without ../data/rfc/rfc2869.txt- further processing. The implementation SHOULD provide the ../data/rfc/rfc2869.txt- capability of logging the error, including the contents of -- ../data/rfc/rfc2869.txt-2. Operation ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Operation is identical to that defined in RFC 2865 [1] and RFC 2866 ../data/rfc/rfc2869.txt- [2]. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt:2.1. RADIUS support for Interim Accounting Updates ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- When a user is authenticated, a RADIUS server issues an Access-Accept ../data/rfc/rfc2869.txt- in response to a successful Access-Request. If the server wishes to ../data/rfc/rfc2869.txt: receive interim accounting messages for the given user it must ../data/rfc/rfc2869.txt- include the Acct-Interim-Interval RADIUS attribute in the message, ../data/rfc/rfc2869.txt- which indicates the interval in seconds between interim messages. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- It is also possible to statically configure an interim value on the ../data/rfc/rfc2869.txt- NAS itself. Note that a locally configured value on the NAS MUST -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Note that all information in an interim message is cumulative (i.e. ../data/rfc/rfc2869.txt- number of packets sent is the total since the beginning of the ../data/rfc/rfc2869.txt- session, not since the last interim message). ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt: It is envisioned that an Interim Accounting record (with Acct- ../data/rfc/rfc2869.txt- Status-Type = Interim-Update (3)) would contain all of the attributes ../data/rfc/rfc2869.txt: normally found in an Accounting Stop message with the exception of ../data/rfc/rfc2869.txt- the Acct-Term-Cause attribute. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Since all the information is cumulative, a NAS MUST ensure that only ../data/rfc/rfc2869.txt: a single generation of an interim Accounting message for a given ../data/rfc/rfc2869.txt- session is present in the retransmission queue at any given time. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-RFC 2869 RADIUS Extensions June 2000 ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- A NAS MAY use a fudge factor to add a random delay between Interim ../data/rfc/rfc2869.txt: Accounting messages for separate sessions. This will ensure that a ../data/rfc/rfc2869.txt- cycle where all messages are sent at once is prevented, such as might ../data/rfc/rfc2869.txt- otherwise occur if a primary link was recently restored and many ../data/rfc/rfc2869.txt- dial-up users were directed to the same NAS at once. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- The Network and NAS CPU load of using Interim Updates should be -- ../data/rfc/rfc2869.txt- the Access-Request packet, and either NAS-Identifier or NAS-IP- ../data/rfc/rfc2869.txt- Address MUST be included. In order to permit forwarding of the ../data/rfc/rfc2869.txt- Access-Reply by EAP-unaware proxies, if a User-Name attribute was ../data/rfc/rfc2869.txt- included in an Access-Request, the RADIUS Server MUST include the ../data/rfc/rfc2869.txt- User-Name attribute in subsequent Access-Accept packets. Without the ../data/rfc/rfc2869.txt: User-Name attribute, accounting and billing becomes very difficult to ../data/rfc/rfc2869.txt- manage. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- If identity is determined via another means such as Called-Station-Id ../data/rfc/rfc2869.txt- or Calling-Station-Id, the NAS MUST include these identifying ../data/rfc/rfc2869.txt- attributes in every Access-Request. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- While this approach will save a round-trip, it cannot be universally ../data/rfc/rfc2869.txt- employed. There are circumstances in which the user's identity may ../data/rfc/rfc2869.txt: not be needed (such as when authentication and accounting is handled ../data/rfc/rfc2869.txt- based on Called-Station-Id or Calling-Station-Id), and therefore an ../data/rfc/rfc2869.txt- EAP-Request/Identity packet may not necessarily be issued by the NAS ../data/rfc/rfc2869.txt- to the authenticating peer. In cases where an EAP-Request/Identity ../data/rfc/rfc2869.txt- packet will not be sent, the NAS will send to the RADIUS server a ../data/rfc/rfc2869.txt- RADIUS Access-Request packet containing an EAP-Message attribute -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-5. Attributes ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- RADIUS Attributes carry the specific authentication, authorization ../data/rfc/rfc2869.txt: and accounting details for the request and response. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Some attributes MAY be included more than once. The effect of this ../data/rfc/rfc2869.txt- is attribute specific, and is specified in each attribute ../data/rfc/rfc2869.txt- description. The order of attributes of the same type SHOULD be ../data/rfc/rfc2869.txt- preserved. The order of attributes of different types is not -- ../data/rfc/rfc2869.txt- are reserved for implementation-specific use, and values 241-255 ../data/rfc/rfc2869.txt- are reserved and should not be used. This specification concerns ../data/rfc/rfc2869.txt- the following values: ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- 1-39 (refer to RFC 2865 [1], "RADIUS") ../data/rfc/rfc2869.txt: 40-51 (refer to RFC 2866 [2], "RADIUS Accounting") ../data/rfc/rfc2869.txt- 52 Acct-Input-Gigawords ../data/rfc/rfc2869.txt- 53 Acct-Output-Gigawords ../data/rfc/rfc2869.txt- 54 Unused ../data/rfc/rfc2869.txt- 55 Event-Timestamp ../data/rfc/rfc2869.txt- 56-59 Unused -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Description ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- This attribute indicates how many times the Acct-Input-Octets ../data/rfc/rfc2869.txt- counter has wrapped around 2^32 over the course of this service ../data/rfc/rfc2869.txt: being provided, and can only be present in Accounting-Request ../data/rfc/rfc2869.txt- records where the Acct-Status-Type is set to Stop or Interim- ../data/rfc/rfc2869.txt- Update. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- A summary of the Acct-Input-Gigawords attribute format is shown ../data/rfc/rfc2869.txt- below. The fields are transmitted from left to right. -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Description ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- This attribute indicates how many times the Acct-Output-Octets ../data/rfc/rfc2869.txt- counter has wrapped around 2^32 in the course of delivering this ../data/rfc/rfc2869.txt: service, and can only be present in Accounting-Request records ../data/rfc/rfc2869.txt- where the Acct-Status-Type is set to Stop or Interim-Update. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- A summary of the Acct-Output-Gigawords attribute format is shown ../data/rfc/rfc2869.txt- below. The fields are transmitted from left to right. ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-5.3. Event-Timestamp ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Description ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt: This attribute is included in an Accounting-Request packet to ../data/rfc/rfc2869.txt- record the time that this event occurred on the NAS, in seconds ../data/rfc/rfc2869.txt- since January 1, 1970 00:00 UTC. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- A summary of the Event-Timestamp attribute format is shown below. ../data/rfc/rfc2869.txt- The fields are transmitted from left to right. -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- This attribute is sent from the NAS to indicate the nature of the ../data/rfc/rfc2869.txt- user's connection. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- The NAS MAY send this attribute in an Access-Request or ../data/rfc/rfc2869.txt: Accounting-Request to indicate the nature of the user's ../data/rfc/rfc2869.txt- connection. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- A summary of the Connect-Info attribute format is shown below. The ../data/rfc/rfc2869.txt- fields are transmitted from left to right. ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- For example, "28800 V42BIS/LAPM" or "52000/31200 V90" ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- More than one Connect-Info attribute may be present in an ../data/rfc/rfc2869.txt: Accounting-Request packet to accommodate expected efforts by ITU ../data/rfc/rfc2869.txt- to have modems report more connection information in a standard ../data/rfc/rfc2869.txt- format that might exceed 252 octets. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-5.12. Configuration-Token ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Description ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- This Attribute contains a text string which identifies the port of ../data/rfc/rfc2869.txt- the NAS which is authenticating the user. It is only used in ../data/rfc/rfc2869.txt: Access-Request and Accounting-Request packets. Note that this is ../data/rfc/rfc2869.txt- using "port" in its sense of a physical connection on the NAS, not ../data/rfc/rfc2869.txt- in the sense of a TCP or UDP port number. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- ../data/rfc/rfc2869.txt- Request packet, if the NAS differentiates among its ports. NAS- -- ../data/rfc/rfc2869.txt-5.19. Table of Attributes ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc2869.txt- in which kind of packets. Acct-Input-Gigawords, Acct-Output- ../data/rfc/rfc2869.txt- Gigawords, Event-Timestamp, and NAS-Port-Id may have 0-1 instances in ../data/rfc/rfc2869.txt: an Accounting-Request packet. Connect-Info may have 0+ instances in ../data/rfc/rfc2869.txt: an Accounting-Request packet. The other attributes added in this ../data/rfc/rfc2869.txt: document must not be present in an Accounting-Request. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-Request Accept Reject Challenge # Attribute ../data/rfc/rfc2869.txt-0-1 0 0 0 70 ARAP-Password [Note 1] ../data/rfc/rfc2869.txt-0 0-1 0 0-1 71 ARAP-Features ../data/rfc/rfc2869.txt-0 0-1 0 0 72 ARAP-Zone-Access -- ../data/rfc/rfc2869.txt- Message-Authenticator attribute, as described previously. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-7.2.3. Man in the middle attacks ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- Since RADIUS security is based on shared secrets, end-to-end security ../data/rfc/rfc2869.txt: is not provided in the case where authentication or accounting ../data/rfc/rfc2869.txt- packets are forwarded along a proxy chain. As a result, attackers ../data/rfc/rfc2869.txt- gaining control of a RADIUS proxy will be able to modify EAP packets ../data/rfc/rfc2869.txt- in transit. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-7.2.4. Multiple databases -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- [1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote ../data/rfc/rfc2869.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc2869.txt- 2000. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt: [2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- [3] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication ../data/rfc/rfc2869.txt- Protocol (EAP)", RFC 2284, March 1998. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement -- ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- [6] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and ../data/rfc/rfc2869.txt- I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC ../data/rfc/rfc2869.txt- 2868, June 2000. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt: [7] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc2869.txt- Modifications for Tunnel Protocol Support", RFC 2867, June 2000. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- [8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC ../data/rfc/rfc2869.txt- 2279, January 1998. ../data/rfc/rfc2869.txt- -- ../data/rfc/rfc2869.txt- [11] Slatalla, M., and Quittner, J., "Masters of Deception." ../data/rfc/rfc2869.txt- HarperCollins, New York, 1995. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt-9. Acknowledgements ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt: RADIUS and RADIUS Accounting were originally developed by Livingston ../data/rfc/rfc2869.txt- Enterprises (now part of Lucent Technologies) for their PortMaster ../data/rfc/rfc2869.txt- series of Network Access Servers. ../data/rfc/rfc2869.txt- ../data/rfc/rfc2869.txt- The section on ARAP is adopted with permission from "Using RADIUS to ../data/rfc/rfc2869.txt- Authenticate Apple Remote Access Connections" by Ward Willats of Cyno -- ../data/rfc/rfc6127.txt- private addresses [IPv4-SPACE-ISSUES]. ../data/rfc/rfc6127.txt- ../data/rfc/rfc6127.txt- Network operations that had previously been tied to a single IPv4 ../data/rfc/rfc6127.txt- address for a subscriber would need to be considered when deploying ../data/rfc/rfc6127.txt- NAT444 as well. These may include troubleshooting, operations, ../data/rfc/rfc6127.txt: accounting, logging and legal intercept, Quality of Service (QoS) ../data/rfc/rfc6127.txt- functions, anti-spoofing and security, backoffice systems, etc. ../data/rfc/rfc6127.txt- Ironically, some of these considerations overlap with the kinds of ../data/rfc/rfc6127.txt- considerations one needs to perform when deploying IPv6. ../data/rfc/rfc6127.txt- ../data/rfc/rfc6127.txt- Consequences aside, NAT444 service is already being deployed in some -- ../data/rfc/rfc1009.txt- respect to the ISO connectionless network model and incorporate ../data/rfc/rfc1009.txt- defined packet formats, routing algorithms and related procedures ../data/rfc/rfc1009.txt- [33, 34]. The ISO ES-IS [37] provides the functions of ARP and ../data/rfc/rfc1009.txt- ICMP Redirect. ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt: B.5. Access Control and Accounting ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- There are no requirements for NSF gateways at this time to ../data/rfc/rfc1009.txt: incorporate specific access-control and accounting mechanisms in ../data/rfc/rfc1009.txt- the design; however, these important issues are currently under ../data/rfc/rfc1009.txt- study and will be incorporated into a subsequent edition of this ../data/rfc/rfc1009.txt- document. Vendors are encouraged to plan for the introduction of ../data/rfc/rfc1009.txt- these mechanisms into their products. While at this time no ../data/rfc/rfc1009.txt: definitive common model for access control and accounting has ../data/rfc/rfc1009.txt- emerged, it is possible to outline some general features such a ../data/rfc/rfc1009.txt- model is likely to have, among them the following: ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- -- ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt-RFC 1009 - Requirements for Internet Gateways June 1987 ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt: 1. The primary access control and accounting mechanisms will ../data/rfc/rfc1009.txt- be in the service hosts themselves, not the gateways, ../data/rfc/rfc1009.txt- packet-switches or workstations. ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt: 2. Agents acting on behalf of access control and accounting ../data/rfc/rfc1009.txt- mechanisms may be necessary in the gateways, to collect ../data/rfc/rfc1009.txt- data, enforce password protection, or mitigate resource ../data/rfc/rfc1009.txt- priority and fairness. However, the architecture and ../data/rfc/rfc1009.txt- protocols used by these agents may be a local matter and ../data/rfc/rfc1009.txt- cannot be specified in advance. ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- 3. NSF gateways may be required to incorporate access control ../data/rfc/rfc1009.txt: and accounting mechanisms based on datagram ../data/rfc/rfc1009.txt- source/destination address, as well as other fields in the ../data/rfc/rfc1009.txt- IP header. ../data/rfc/rfc1009.txt- ../data/rfc/rfc1009.txt- 4. NSF gateways may be required to enforce policies on access ../data/rfc/rfc1009.txt- to gateway and communication resources. These policies may -- ../data/rfc/rfc6646.txt-5.1. Denial-of-Service Attacks ../data/rfc/rfc6646.txt- ../data/rfc/rfc6646.txt- An attacker can try to consume a large portion of the in-network ../data/rfc/rfc6646.txt- storage, or exhaust the connections of the in-network storage through ../data/rfc/rfc6646.txt- a denial-of-service (DoS) attack. Authentication, authorization, and ../data/rfc/rfc6646.txt: accounting mechanisms should be considered in the cross-domain ../data/rfc/rfc6646.txt- environment. Limitation of access from an administrative domain sets ../data/rfc/rfc6646.txt- up barriers for content distribution. ../data/rfc/rfc6646.txt- ../data/rfc/rfc6646.txt-5.2. Copyright and Legal Issues ../data/rfc/rfc6646.txt- -- ../data/rfc/rfc3084.txt- 5. COPS-PR Client-Specific Data Formats............................23 ../data/rfc/rfc3084.txt- 5.1. Named Decision Data...........................................23 ../data/rfc/rfc3084.txt- 5.2. ClientSI Request Data.........................................24 ../data/rfc/rfc3084.txt- 5.3. Policy Provisioning Report Data...............................24 ../data/rfc/rfc3084.txt- 5.3.1. Success and Failure Report-Type Data Format.................24 ../data/rfc/rfc3084.txt: 5.3.2. Accounting Report-Type Data Format..........................25 ../data/rfc/rfc3084.txt- 6. Common Operation................................................26 ../data/rfc/rfc3084.txt- 7. Fault Tolerance.................................................28 ../data/rfc/rfc3084.txt- 8. Security Considerations.........................................29 ../data/rfc/rfc3084.txt- 9. IANA Considerations.............................................29 ../data/rfc/rfc3084.txt- 10. Acknowledgements...............................................30 -- ../data/rfc/rfc3084.txt- the action taken. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt-3.3. Report State (RPT) PEP -> PDP ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- The RPT message is sent from the policy provisioning clients to the ../data/rfc/rfc3084.txt: PDP to report accounting information associated with the provisioned ../data/rfc/rfc3084.txt- policy, or to notify the PDP of changes in the PEP (Report-Type = ' ../data/rfc/rfc3084.txt: Accounting') related to the provisioning client. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- RPT is also used as a mechanism to inform the PDP about the action ../data/rfc/rfc3084.txt- taken at the PEP in response to a DEC message. For example, in ../data/rfc/rfc3084.txt- response to an 'Install' decision, the PEP informs the PDP if the ../data/rfc/rfc3084.txt- policy data is installed (Report-Type = 'Success') or not (Report- -- ../data/rfc/rfc3084.txt- always respond to a DEC with a solicited RPT even in response to a ../data/rfc/rfc3084.txt- NULL DEC, in which case the Report-Type will be 'Success'. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- Reports can also be unsolicited and all unsolicited Reports MUST NOT ../data/rfc/rfc3084.txt- set the solicited message flag in their COPS message header. Examples ../data/rfc/rfc3084.txt: of unsolicited reports include 'Accounting' Report-Types, which were ../data/rfc/rfc3084.txt- not triggered by a specific DEC messages, or 'Failure' Report-Types, ../data/rfc/rfc3084.txt- which indicate a failure in a previously successfully installed ../data/rfc/rfc3084.txt- configuration (note that, in the case of such unsolicited failures, ../data/rfc/rfc3084.txt- the PEP cannot rollback to a previous "good" state as it becomes ../data/rfc/rfc3084.txt- ambiguous under these asynchronous conditions what the correct state -- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt-RFC 3084 COPS-PR March 2001 ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- The RPT message may contain provisioning client information such as ../data/rfc/rfc3084.txt: accounting parameters or errors/warnings related to a decision. The ../data/rfc/rfc3084.txt- data format for this information is defined in the context of the ../data/rfc/rfc3084.txt- policy information base (see section 5). The RPT message has the ../data/rfc/rfc3084.txt- following format: ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- <Report State> ::= <Common Header> -- ../data/rfc/rfc3084.txt- conjunction with the accompanying COPS Report Type object to ../data/rfc/rfc3084.txt- encapsulate COPS-PR report information from the PEP to the PDP. ../data/rfc/rfc3084.txt- Report types can be 'Success' or 'Failure', indicating to the PDP ../data/rfc/rfc3084.txt- that a particular set of provisioning policies has been either ../data/rfc/rfc3084.txt- successfully or unsuccessfully installed/removed on the PEP, or ../data/rfc/rfc3084.txt: 'Accounting'. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt-5.3.1. Success and Failure Report-Type Data Format ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- Report-types can be 'Success' or 'Failure' indicating to the PDP that ../data/rfc/rfc3084.txt- a particular set of provisioning policies has been either -- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- <Named ClientSI: Report> ::= <[<GPERR>] *(<report>)> ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- <report> ::= <ErrorPRID> <CPERR> *(<PRID><EPD>) ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt:5.3.2. Accounting Report-Type Data Format ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt: Additionally, reports can be used to carry accounting information ../data/rfc/rfc3084.txt: when specifying the 'Accounting' Report-Type. This accounting report ../data/rfc/rfc3084.txt- message will typically carry statistical or event information related ../data/rfc/rfc3084.txt- to the installed configuration for use at the PDP. This information ../data/rfc/rfc3084.txt- is encoded as one or more <PRID><EPD> bindings that generally ../data/rfc/rfc3084.txt: describe the accounting information being reported from the PEP to ../data/rfc/rfc3084.txt- the PDP. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- The format for this data is encapsulated in the COPS Named ClientSI ../data/rfc/rfc3084.txt- object as follows: ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- <Named ClientSI: Report> ::= <*(<PRID><EPD>)> ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt: NOTE: RFC 2748 defines an optional Accounting-Timer (AcctTimer) ../data/rfc/rfc3084.txt- object for use in the COPS Client-Accept message. Periodic ../data/rfc/rfc3084.txt: accounting reports for COPS-PR clients are also obligated to be paced ../data/rfc/rfc3084.txt: by this timer. Periodic accounting reports SHOULD NOT be generated ../data/rfc/rfc3084.txt- by the PEP more frequently than the period specified by the COPS ../data/rfc/rfc3084.txt: AcctTimer. Thus, the period between new accounting reports SHOULD be ../data/rfc/rfc3084.txt- greater-than or equal-to the period specified (if specified) in the ../data/rfc/rfc3084.txt- AcctTimer. If no AcctTimer object is specified by the PDP, then ../data/rfc/rfc3084.txt: there are no constraints imposed on the PEP's accounting interval. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- -- ../data/rfc/rfc3084.txt- its previously installed (good) state as if the DEC never occurred. ../data/rfc/rfc3084.txt- The PDP is then free to modify its decision and try again. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- The PEP can report to the PDP the current status of any installed ../data/rfc/rfc3084.txt- request state when appropriate. This information is sent in a ../data/rfc/rfc3084.txt: Report-State (RPT) message with the "Accounting" flag set. The ../data/rfc/rfc3084.txt- request state that is being reported is identified via the associated ../data/rfc/rfc3084.txt- Client Handle in the report message. ../data/rfc/rfc3084.txt- ../data/rfc/rfc3084.txt- Finally, Client-Close (CC) messages are used to cancel the ../data/rfc/rfc3084.txt- corresponding Client-Open message. The CC message informs the other -- ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- - Reception of connection information: Customers MAY be allowed to ../data/rfc/rfc4847.txt- receive information for current VPN connections (through the ../data/rfc/rfc4847.txt- management plane). ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt: - Reception of accounting information: Customers MUST be able to ../data/rfc/rfc4847.txt: receive accounting information for each VPN. ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- - Specification of policy: Customers MAY be allowed to specify ../data/rfc/rfc4847.txt- policies (e.g., path computation policies, recovery policies ../data/rfc/rfc4847.txt- including parameters) for each VPN. ../data/rfc/rfc4847.txt- -- ../data/rfc/rfc4847.txt- documents, such as [RFC3945]. Also, manageability considerations for ../data/rfc/rfc4847.txt- L3VPN are described in existing documents, such as [RFC4176]. These ../data/rfc/rfc4847.txt- manageability considerations should also be applied in L1VPNs, and ../data/rfc/rfc4847.txt- these aspects are described in this section. In addition, there are ../data/rfc/rfc4847.txt- some specific manageability considerations for L1VPNs, such as ../data/rfc/rfc4847.txt: configuration and accounting. ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- o Fault management ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- The provider network MUST support fault management. It MUST support ../data/rfc/rfc4847.txt- liveness detection, and monitoring and verification of correct -- ../data/rfc/rfc4847.txt- configuration. ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- It SHOULD be possible for the provider network to verify that ../data/rfc/rfc4847.txt- configuration is correctly made. ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt: o Accounting management ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt: The provider network MUST support accounting management. It MUST ../data/rfc/rfc4847.txt- be able to record usage of VPN connections for each customer. ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- o Performance management ../data/rfc/rfc4847.txt- ../data/rfc/rfc4847.txt- The provider network MUST support performance management. -- ../data/rfc/rfc5627.txt- ../data/rfc/rfc5627.txt- If a proxy is in either the originating or terminating domains but is ../data/rfc/rfc5627.txt- not an authoritative proxy, the proxy MAY record-route. ../data/rfc/rfc5627.txt- ../data/rfc/rfc5627.txt- If a proxy in the terminating domain requires mid-dialog requests to ../data/rfc/rfc5627.txt: pass through it for whatever reason (firewall traversal, accounting, ../data/rfc/rfc5627.txt- etc.), the proxy MUST still record-route, and MUST NOT assume that a ../data/rfc/rfc5627.txt- UA will utilize its GRUU in the Contact header field of its response ../data/rfc/rfc5627.txt- (which would cause mid-dialog requests to pass through the proxy ../data/rfc/rfc5627.txt- without record-routing). ../data/rfc/rfc5627.txt- -- ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt- The RTFM Traffic Measurement System has been developed by the ../data/rfc/rfc2721.txt- Realtime Traffic Flow Measurement Working Group. It is described in ../data/rfc/rfc2721.txt- six other documents, as follows: ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt: [ACT-BKG] Internet Accounting: Background (Informational) ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt- Sets out the requirements for a usage reporting system for network ../data/rfc/rfc2721.txt- traffic. Sketches out the RTFM Architecture (meters, meter ../data/rfc/rfc2721.txt- readers and managers) allowing for multiple meters and meter ../data/rfc/rfc2721.txt- readers, with asynchronous reading from the meters. Proposes -- ../data/rfc/rfc2721.txt- much data reduction work as possible, which minimizes the amount of ../data/rfc/rfc2721.txt- data to be read and the amount of processing needed to produce useful ../data/rfc/rfc2721.txt- reports from it. ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt- RTFM flow data can be used for a wide range of purposes, such as ../data/rfc/rfc2721.txt: usage accounting, long-term recording of network usage (classified by ../data/rfc/rfc2721.txt- IP address attributes) and real-time analysis of traffic flows at ../data/rfc/rfc2721.txt- remote metering points. ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt-3 Applicability Statement (AS) ../data/rfc/rfc2721.txt- -- ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt- provides a very effective way to read flow data from a traffic meter. ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt-9 References ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt: [ACT-BKG] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting ../data/rfc/rfc2721.txt- Background", RFC 1272, November 1991. ../data/rfc/rfc2721.txt- ../data/rfc/rfc2721.txt- [RTFM-ARC] Brownlee, N., Mills, C. and G. Ruth, "Traffic Flow ../data/rfc/rfc2721.txt- Measurement: Architecture", RFC 2722, October 1999. ../data/rfc/rfc2721.txt- -- ../data/rfc/rfc5757.txt- denial-of-service attacks. In addition to source authentication, a ../data/rfc/rfc5757.txt- rate control of the replicator may be required to protect the agent ../data/rfc/rfc5757.txt- and the downstream network. ../data/rfc/rfc5757.txt- ../data/rfc/rfc5757.txt- Mobility protocols need to consider the implications and requirements ../data/rfc/rfc5757.txt: for Authentication, Authorization, and Accounting (AAA). An MN may ../data/rfc/rfc5757.txt- have been authorized to receive a specific multicast group when using ../data/rfc/rfc5757.txt- one mobile network, but this may not be valid when attaching to a ../data/rfc/rfc5757.txt- different network. In general, the AAA association for an MN may ../data/rfc/rfc5757.txt- change between attachments, or may be individually chosen prior to ../data/rfc/rfc5757.txt- network (re-)association. The most appropriate network path may be -- ../data/rfc/rfc7241.txt-4.3. Solicited Review Processes ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- With the number of areas of cooperation between IEEE 802 and IETF ../data/rfc/rfc7241.txt- increasing, the document review process has extended beyond the ../data/rfc/rfc7241.txt- traditional subjects of SMI (Structure of Management Information) MIB ../data/rfc/rfc7241.txt: modules and AAA (Authentication, Authorization, and Accounting) ../data/rfc/rfc7241.txt- described in [RFC4441]. IESG members routinely solicit directorate ../data/rfc/rfc7241.txt- reviews as a means to request the opinion of specialized experts on ../data/rfc/rfc7241.txt- specific aspects of documents in IESG review (examples include ../data/rfc/rfc7241.txt- security, "MIB Doctors", or congestion management reviews). Area ../data/rfc/rfc7241.txt- Directors may also require solicited reviews from IEEE 802 or IEEE -- ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- Heard, C., Ed., "RFC 4181 Update to Recognize the IETF ../data/rfc/rfc7241.txt- Trust", BCP 111, RFC 4841, March 2007. ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- [BCP132] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc7241.txt: Authorization, and Accounting (AAA) Key Management", BCP ../data/rfc/rfc7241.txt- 132, RFC 4962, July 2007. ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- [BCP158] DeKok, A., Ed., and G. Weber, "RADIUS Design Guidelines", ../data/rfc/rfc7241.txt- BCP 158, RFC 6158, March 2011. ../data/rfc/rfc7241.txt- -- ../data/rfc/rfc7241.txt-A.2. AAA Review ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- IEEE 802 WGs requiring new AAA applications should send a liaison ../data/rfc/rfc7241.txt- request to the IETF. Where new attribute definitions are sufficient, ../data/rfc/rfc7241.txt- rather than defining new authentication, authorization, and ../data/rfc/rfc7241.txt: accounting logic and procedures, an Internet-Draft can be submitted ../data/rfc/rfc7241.txt- and review can be requested from AAA-related WGs such as the RADEXT ../data/rfc/rfc7241.txt- or DIME WGs. ../data/rfc/rfc7241.txt- ../data/rfc/rfc7241.txt- In addition to the RADEXT and DIME WGs, a "AAA doctors" team ../data/rfc/rfc7241.txt- (directorate) is currently active in the OPS Area and can be -- ../data/rfc/rfc8167.txt-4.1. Reverse-Direction Credits ../data/rfc/rfc8167.txt- ../data/rfc/rfc8167.txt- RPC-over-RDMA credits work the same way in the reverse direction as ../data/rfc/rfc8167.txt- they do in the forward direction. However, forward-direction credits ../data/rfc/rfc8167.txt- and reverse-direction credits on the same connection are accounted ../data/rfc/rfc8167.txt: separately. Direction-independent credit accounting prevents head- ../data/rfc/rfc8167.txt- of-line blocking in one direction from impacting operation in the ../data/rfc/rfc8167.txt- other direction. ../data/rfc/rfc8167.txt- ../data/rfc/rfc8167.txt- The forward-direction credit value retains the same meaning whether ../data/rfc/rfc8167.txt- or not there are reverse-direction resources associated with an RPC- -- ../data/rfc/rfc8568.txt- if each data center is protected separately via firewalls, ../data/rfc/rfc8568.txt- Demilitarized Zones (DMZs), and other network-protection techniques. ../data/rfc/rfc8568.txt- ../data/rfc/rfc8568.txt- SDN can also be used to help improve security by facilitating the ../data/rfc/rfc8568.txt- operation of existing protocols, such as Authentication, ../data/rfc/rfc8568.txt: Authorization and Accounting (AAA). The management of AAA ../data/rfc/rfc8568.txt- infrastructures, namely the management of AAA routing and the ../data/rfc/rfc8568.txt- establishment of security associations between AAA entities, can be ../data/rfc/rfc8568.txt- performed using SDN, as analyzed in [SDN-AAA]. ../data/rfc/rfc8568.txt- ../data/rfc/rfc8568.txt-4.9. Separation of Control Concerns -- ../data/rfc/rfc6787.txt- rules in the HTTP/1.1 specification [RFC2616] and append the "Age" ../data/rfc/rfc6787.txt- attribute accordingly. This attribute is provided because time may ../data/rfc/rfc6787.txt- have passed since the client received the cookie from an HTTP server. ../data/rfc/rfc6787.txt- Rather than having the client reduce Max-Age by the actual age, it ../data/rfc/rfc6787.txt- passes Max-Age verbatim and appends the "Age" attribute, thus ../data/rfc/rfc6787.txt: maintaining the cookie as received while still accounting for the ../data/rfc/rfc6787.txt- fact that time has passed. ../data/rfc/rfc6787.txt- ../data/rfc/rfc6787.txt- The MRCPv2 client or server MUST supply defaults for the "Domain" and ../data/rfc/rfc6787.txt- "Path" attributes, as specified in RFC 6265, if they are omitted by ../data/rfc/rfc6787.txt- the HTTP origin server. Note that there is no leading dot present in -- ../data/rfc/rfc3376.txt- the reasons behind this decision. ../data/rfc/rfc3376.txt- ../data/rfc/rfc3376.txt- 1. Routers may want to track per-host membership status on an ../data/rfc/rfc3376.txt- interface. This allows routers to implement fast leaves (e.g., ../data/rfc/rfc3376.txt- for layered multicast congestion control schemes) as well as track ../data/rfc/rfc3376.txt: membership status for possible accounting purposes. ../data/rfc/rfc3376.txt- ../data/rfc/rfc3376.txt- 2. Membership Report suppression does not work well on bridged LANs. ../data/rfc/rfc3376.txt- Many bridges and Layer2/Layer3 switches that implement IGMP ../data/rfc/rfc3376.txt- snooping do not forward IGMP messages across LAN segments in order ../data/rfc/rfc3376.txt- to prevent membership report suppression. Removing membership -- ../data/rfc/rfc3957.txt-Category: Standards Track P. Calhoun ../data/rfc/rfc3957.txt- Airespace ../data/rfc/rfc3957.txt- March 2005 ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt: Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc3957.txt- Registration Keys for Mobile IPv4 ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt-Status of this Memo ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- This document specifies an Internet standards track protocol for the -- ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- Copyright (C) The Internet Society (2005). ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt-Abstract ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt: Authentication, Authorization, and Accounting (AAA) servers, such as ../data/rfc/rfc3957.txt- RADIUS and DIAMETER, are in use within the Internet today to provide ../data/rfc/rfc3957.txt- authentication and authorization services for dial-up computers. ../data/rfc/rfc3957.txt- Mobile IP for IPv4 requires strong authentication between the mobile ../data/rfc/rfc3957.txt- node and its home agent. When the mobile node shares an AAA Security ../data/rfc/rfc3957.txt- Association with its home AAA server, however, it is possible to use -- ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", ../data/rfc/rfc3957.txt- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this ../data/rfc/rfc3957.txt- document are to be interpreted as described in [4]. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt: AAA Authentication, Authorization, and Accounting (see ../data/rfc/rfc3957.txt- [10]). ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- AAA entity A network node processing AAA messages according to the ../data/rfc/rfc3957.txt- requirements for AAA protocols (see [10]). ../data/rfc/rfc3957.txt- -- ../data/rfc/rfc3957.txt- Security Association with its home agent, perhaps because it does not ../data/rfc/rfc3957.txt- yet have a home address [5]. The protocol and messages in this ../data/rfc/rfc3957.txt- document are intended to facilitate the following operations which ../data/rfc/rfc3957.txt- may occur between the mobile node, foreign agent, home agent, and AAA ../data/rfc/rfc3957.txt- servers in the visited (local) domain (Authentication, Authorization ../data/rfc/rfc3957.txt: and Accounting Local or AAAL) and in the home domain (Authentication, ../data/rfc/rfc3957.txt: Authorization, and Accounting Home or AAAH). In the following ../data/rfc/rfc3957.txt- sequence of messages, the only message flows specified in this ../data/rfc/rfc3957.txt- document are the Registration Request between the mobile node and the ../data/rfc/rfc3957.txt- foreign agent, and Registration Reply between the foreign agent and ../data/rfc/rfc3957.txt- the mobile node. The other messages described here result from the ../data/rfc/rfc3957.txt- presumed action of the AAA entities as described in RFC 2977. See -- ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt-11.2. Informative References ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- [10] Mitton, D., St.Johns, M., Barkley, S., Nelson, D., Patil, B., ../data/rfc/rfc3957.txt- Stevens, M., and B. Wolff, "Authentication, Authorization, and ../data/rfc/rfc3957.txt: Accounting: Protocol Evaluation", RFC 3127, June 2001. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- [11] Rigney, C., Willens, S., Rubens, A., and A. Simpson, "Remote ../data/rfc/rfc3957.txt- Authentication Dial In User Service (RADIUS)", RFC 2865, June ../data/rfc/rfc3957.txt- 2000. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- [12] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, ../data/rfc/rfc3957.txt- "Diameter Base Protocol", RFC 3588, September 2003. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- [13] Glass, S., Hiller, T., Jacobs, S., and C. Perkins, "Mobile IP ../data/rfc/rfc3957.txt: Authentication, Authorization, and Accounting Requirements", RFC ../data/rfc/rfc3957.txt- 2977, October 2000. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- [14] Calhoun, P. and C. Perkins, "DIAMETER mobile IP extensions", ../data/rfc/rfc3957.txt- Work in Progress, February 2004. ../data/rfc/rfc3957.txt- -- ../data/rfc/rfc3957.txt- means for the mobile node to belong to the home domain. ../data/rfc/rfc3957.txt- ../data/rfc/rfc3957.txt- Second, from the model illustrated in figure 7 it is clear that AAAL ../data/rfc/rfc3957.txt- and AAAH have to share an IP Security Association, because otherwise ../data/rfc/rfc3957.txt- they could not rely on the authentication results, authorizations, ../data/rfc/rfc3957.txt: nor even the accounting data which might be transacted between them. ../data/rfc/rfc3957.txt- Requiring such bilateral IP Security Associations is, however, in the ../data/rfc/rfc3957.txt- end not scalable; the AAA framework must provide for more scalable ../data/rfc/rfc3957.txt- mechanisms, but the methods by which such a broker model is to be ../data/rfc/rfc3957.txt- created are out of scope for this document. See RFC 2977 for more ../data/rfc/rfc3957.txt- details. -- ../data/rfc/rfc3819.txt- are forwarded on a best-effort basis. ../data/rfc/rfc3819.txt- ../data/rfc/rfc3819.txt- Intserv requires installation of state information in every ../data/rfc/rfc3819.txt- participating router. Performance guarantees cannot be made unless ../data/rfc/rfc3819.txt- this state is present in every router along the path. This, along ../data/rfc/rfc3819.txt: with RSVP processing and the need for usage-based accounting, is ../data/rfc/rfc3819.txt- believed to have scalability problems, particularly in the core of ../data/rfc/rfc3819.txt- the Internet [RFC2208]. ../data/rfc/rfc3819.txt- ../data/rfc/rfc3819.txt- IP Differentiated Services (Diffserv) [RFC2475] provides a "toolkit" ../data/rfc/rfc3819.txt- offering coarse-grained controls to aggregates of flows. Diffserv in -- ../data/rfc/rfc3796.txt-5.56. RFC 2496 Definitions of Managed Object for the DS3/E3 ../data/rfc/rfc3796.txt- Interface Type ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- There are no IPv4 dependencies in this specification. ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt:5.57. RFC 2512 Accounting Information for ATM Networks ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- There are no IPv4 dependencies in this specification. ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- -- ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt-RFC 3796 IPv4 in the IETF Operations & Management Area June 2004 ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt-5.58. RFC 2513 Managed Objects for Controlling the Collection ../data/rfc/rfc3796.txt: and Storage of Accounting Information for ../data/rfc/rfc3796.txt- Connection-Oriented Networks ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt- There are no IPv4 dependencies in this specification. ../data/rfc/rfc3796.txt- ../data/rfc/rfc3796.txt-5.59. RFC 2514 Definitions of Textual Conventions and -- ../data/rfc/rfc2249.txt- won't be accepted, etc.) vary widely from one MTA to the ../data/rfc/rfc2249.txt- next and cannot be inferred from this variable." ../data/rfc/rfc2249.txt- ::= {mtaEntry 12} ../data/rfc/rfc2249.txt- ../data/rfc/rfc2249.txt--- MTAs typically group inbound reception, queue storage, and ../data/rfc/rfc2249.txt:-- outbound transmission in some way, rather than accounting for ../data/rfc/rfc2249.txt--- such operations only across the MTA as a whole. In the most ../data/rfc/rfc2249.txt--- extreme case separate information will be maintained for each ../data/rfc/rfc2249.txt--- different entity that receives messages and for each entity ../data/rfc/rfc2249.txt--- the MTA stores messages for and delivers messages to. Other ../data/rfc/rfc2249.txt--- MTAs may elect to treat all reception equally, all queue -- ../data/rfc/rfc2977.txt- C. Perkins ../data/rfc/rfc2977.txt- Nokia Research Center ../data/rfc/rfc2977.txt- October 2000 ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: Mobile IP Authentication, Authorization, and Accounting Requirements ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-Status of this Memo ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- This memo provides information for the Internet community. It does ../data/rfc/rfc2977.txt- not specify an Internet standard of any kind. Distribution of this -- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Copyright (C) The Internet Society (2000). All Rights Reserved. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-Abstract ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: The Mobile IP and Authentication, Authorization, Accounting (AAA) ../data/rfc/rfc2977.txt- working groups are currently looking at defining the requirements for ../data/rfc/rfc2977.txt: Authentication, Authorization, and Accounting. This document ../data/rfc/rfc2977.txt- contains the requirements which would have to be supported by a AAA ../data/rfc/rfc2977.txt- service to aid in providing Mobile IP services. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-1. Introduction ../data/rfc/rfc2977.txt- -- ../data/rfc/rfc2977.txt- users to attach to any domain convenient to their current location. ../data/rfc/rfc2977.txt- In this way, a client needs access to resources being provided by an ../data/rfc/rfc2977.txt- administrative domain different than their home domain (called a ../data/rfc/rfc2977.txt- "foreign domain"). The need for service from a foreign domain ../data/rfc/rfc2977.txt- requires, in many models, Authorization, which leads directly to ../data/rfc/rfc2977.txt: Authentication, and of course Accounting (whence, "AAA"). There is ../data/rfc/rfc2977.txt- some argument which of these leads to, or is derived from the others, ../data/rfc/rfc2977.txt- but there is common agreement that the three AAA functions are ../data/rfc/rfc2977.txt- closely interdependent. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- -- ../data/rfc/rfc2977.txt- resources is permitted. The resource may be as simple as a conduit ../data/rfc/rfc2977.txt- to the Internet, or may be as complex as access to specific private ../data/rfc/rfc2977.txt- resources within the foreign domain. Credentials can be exchanged in ../data/rfc/rfc2977.txt- many different ways, all of which are beyond the scope of this ../data/rfc/rfc2977.txt- document. Once authenticated, the mobile user may be authorized to ../data/rfc/rfc2977.txt: access services within the foreign domain. An accounting of the ../data/rfc/rfc2977.txt- actual resources may then be assembled. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Mobile IP is a technology that allows a network node ("mobile node") ../data/rfc/rfc2977.txt- to migrate from its "home" network to other networks, either within ../data/rfc/rfc2977.txt- the same administrative domain, or to other administrative domains. -- ../data/rfc/rfc2977.txt-2. Terminology ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- This document frequently uses the following terms in addition to ../data/rfc/rfc2977.txt- those defined in RFC 2002 [13]: ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: Accounting The act of collecting information on resource usage ../data/rfc/rfc2977.txt- for the purpose of trend analysis, auditing, billing, ../data/rfc/rfc2977.txt- or cost allocation. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- -- ../data/rfc/rfc2977.txt- to carry out the necessary operations enabling Mobile ../data/rfc/rfc2977.txt- IP registrations. From the point of view of the ../data/rfc/rfc2977.txt- foreign agent, the foreign domain is the local ../data/rfc/rfc2977.txt- domain. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: Inter-domain Accounting ../data/rfc/rfc2977.txt: Inter-domain accounting is the collection of ../data/rfc/rfc2977.txt- information on resource usage of an entity with an ../data/rfc/rfc2977.txt- administrative domain, for use within another ../data/rfc/rfc2977.txt: administrative domain. In inter-domain accounting, ../data/rfc/rfc2977.txt: accounting packets and session records will typically ../data/rfc/rfc2977.txt- cross administrative boundaries. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-Glass, et al. Informational [Page 3] ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-RFC 2977 Mobile IP AAA Requirements October 2000 ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: Intra-domain Accounting ../data/rfc/rfc2977.txt: Intra-domain accounting is the collection of ../data/rfc/rfc2977.txt- information on resource within an administrative ../data/rfc/rfc2977.txt- domain, for use within that domain. In intra-domain ../data/rfc/rfc2977.txt: accounting, accounting packets and session records ../data/rfc/rfc2977.txt- typically do not cross administrative boundaries. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Local Domain ../data/rfc/rfc2977.txt- An administrative domain containing the AAA ../data/rfc/rfc2977.txt- infrastructure of immediate interest to a Mobile IP ../data/rfc/rfc2977.txt- client when it is away from home. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt: Real-time Accounting ../data/rfc/rfc2977.txt: Real-time accounting involves the processing of ../data/rfc/rfc2977.txt- information on resource usage within a defined time ../data/rfc/rfc2977.txt- window. Time constraints are typically imposed in ../data/rfc/rfc2977.txt- order to limit financial risk. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Session record ../data/rfc/rfc2977.txt- A session record represents a summary of the resource ../data/rfc/rfc2977.txt- consumption of a user over the entire session. ../data/rfc/rfc2977.txt: Accounting gateways creating the session record may ../data/rfc/rfc2977.txt: do so by processing interim accounting events. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- In this document, the key words "MAY", "MUST, "MUST NOT", "optional", ../data/rfc/rfc2977.txt- "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as ../data/rfc/rfc2977.txt- described in [4]. ../data/rfc/rfc2977.txt- -- ../data/rfc/rfc2977.txt- the client to belong to the home domain. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Second, from the model illustrated in figure 1 it is clear that AAAL ../data/rfc/rfc2977.txt- and AAAH have to share a security association, because otherwise they ../data/rfc/rfc2977.txt- could not rely on the authentication results, authorizations, nor ../data/rfc/rfc2977.txt: even the accounting data which might be transacted between them. ../data/rfc/rfc2977.txt- Requiring such bilateral security relationships is, however, in the ../data/rfc/rfc2977.txt- end not scalable; the AAA framework MUST provide for more scalable ../data/rfc/rfc2977.txt- mechanisms, as suggested below in section 6. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Finally, in the figure, it is clear that the attendant can naturally -- ../data/rfc/rfc2977.txt- otherwise validating the certificate) so that home and foreign ../data/rfc/rfc2977.txt- agents could avoid a costly online certificate status check. ../data/rfc/rfc2977.txt- - Provide message integrity and identity authentication on a hop- ../data/rfc/rfc2977.txt- by-hop (AAA node) basis. ../data/rfc/rfc2977.txt- - Support replay protection and optional non-repudiation ../data/rfc/rfc2977.txt: capabilities for all authorization and accounting messages. The ../data/rfc/rfc2977.txt: AAA protocol must provide the capability for accounting messages ../data/rfc/rfc2977.txt- to be matched with prior authorization messages. ../data/rfc/rfc2977.txt: - Support accounting via both bilateral arrangements and via broker ../data/rfc/rfc2977.txt: AAA servers providing accounting clearinghouse and reconciliation ../data/rfc/rfc2977.txt- between serving and home networks. There is an explicit agreement ../data/rfc/rfc2977.txt- that if the private network or home ISP authenticates the mobile ../data/rfc/rfc2977.txt- station requesting service, then the private network or home ISP ../data/rfc/rfc2977.txt- network also agrees to reconcile charges with the home service ../data/rfc/rfc2977.txt: provider or broker. Real time accounting must be supported. ../data/rfc/rfc2977.txt: Timestamps must be included in all accounting packets. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-4. Requirements related to basic IP connectivity ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- The requirements listed in the previous section pertain to the ../data/rfc/rfc2977.txt- relationships between the functional units, and don't depend on the -- ../data/rfc/rfc2977.txt- (AAAH) need to interface with the foreign agent and the home agent to ../data/rfc/rfc2977.txt- handle the registration message. Latency would be reduced as a ../data/rfc/rfc2977.txt- result of initial registration being handled in conjunction with AAA ../data/rfc/rfc2977.txt- and the mobile IP mobility agents. Subsequent registrations, ../data/rfc/rfc2977.txt- however, would be handled according to RFC 2002 [13]. Another way to ../data/rfc/rfc2977.txt: reduce latency as to accounting would be the exchange of small ../data/rfc/rfc2977.txt- records. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- As there are many different types of sub-services attendants may ../data/rfc/rfc2977.txt: provide to mobile clients, there MUST be extensible accounting ../data/rfc/rfc2977.txt- formats. In this way, the specific services being provided can be ../data/rfc/rfc2977.txt: identified, as well as accounting support should more services be ../data/rfc/rfc2977.txt- identified in the future. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- The AAA home domain and the HA home domain of the mobile node need ../data/rfc/rfc2977.txt- not be part of the same administrative domain. Such an situation can ../data/rfc/rfc2977.txt- occur if the home address of the mobile node is provided by one ../data/rfc/rfc2977.txt- domain, e.g., an ISP that the mobile user uses while at home, and the ../data/rfc/rfc2977.txt: authorization and accounting by another (specialized) domain, e.g., a ../data/rfc/rfc2977.txt- credit card company. The foreign agent sends only the authentication ../data/rfc/rfc2977.txt- information of the mobile node to the AAAL, which interfaces to the ../data/rfc/rfc2977.txt- AAAH. After a successful authorization of the mobile node, the ../data/rfc/rfc2977.txt- foreign agent is able to continue with the mobile IP registration ../data/rfc/rfc2977.txt- procedure. Such a scheme introduces more delay if the access to the -- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- - authorize the mobile node (once its identity has been established) ../data/rfc/rfc2977.txt- to use at least the set of resources for minimal Mobile IP ../data/rfc/rfc2977.txt- functionality, plus potentially other services requested by the ../data/rfc/rfc2977.txt- mobile node ../data/rfc/rfc2977.txt: - initiate accounting for service utilization ../data/rfc/rfc2977.txt- - use AAA protocol extensions specifically for including Mobile IP ../data/rfc/rfc2977.txt- registration messages as part of the initial registration sequence ../data/rfc/rfc2977.txt- to be handled by the AAA servers. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- These tasks, and the resulting more specific tasks to be listed later -- ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Assuming that AAAB accepts responsibility for payment to the serving ../data/rfc/rfc2977.txt- domain on behalf of the home domain, the serving domain is assured of ../data/rfc/rfc2977.txt- receiving payments for services offered. However, the redirection ../data/rfc/rfc2977.txt- broker will usually require a copy of authorization messages from the ../data/rfc/rfc2977.txt: home domain and accounting messages from the serving domain, in order ../data/rfc/rfc2977.txt- for the broker to determine if it is willing to accept responsibility ../data/rfc/rfc2977.txt- for the services being authorized and utilized. If the broker does ../data/rfc/rfc2977.txt- not accept such responsibility for any reason, then it must be able ../data/rfc/rfc2977.txt- to terminate service to a mobile node in the serving network. In the ../data/rfc/rfc2977.txt- event that multiple brokers are involved, in most situations all -- ../data/rfc/rfc2977.txt- on foreign agents and AAALs. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- Though this mechanism may reduce latency in the transit of messages ../data/rfc/rfc2977.txt- between the domains after the broker has completed its involvement, ../data/rfc/rfc2977.txt- there may be many more messages involved as a result of additional ../data/rfc/rfc2977.txt: copies of authorization and accounting messages to the brokers ../data/rfc/rfc2977.txt- involved. There may also be additional latency for initial access to ../data/rfc/rfc2977.txt- the network, especially when a new security association needs to be ../data/rfc/rfc2977.txt- created between AAAL and AAAH (for example, from the use of ISAKMP). ../data/rfc/rfc2977.txt- These delays may become important factors for latency-critical ../data/rfc/rfc2977.txt- applications. -- ../data/rfc/rfc2977.txt- needed scalability for managing trust relationships between otherwise ../data/rfc/rfc2977.txt- independent network domains. Use of the broker does not preclude ../data/rfc/rfc2977.txt- managing separate trust relationships between domains, but it does ../data/rfc/rfc2977.txt- offer an alternative to doing so. Just as with the AAAH and AAAL ../data/rfc/rfc2977.txt- (see section 5), data specific to Mobile IP control messages MUST NOT ../data/rfc/rfc2977.txt: be processed by the AAAB. Any credentials or accounting data to be ../data/rfc/rfc2977.txt- processed by the AAAB must be present in AAA message units, not ../data/rfc/rfc2977.txt- extracted from Mobile IP protocol extensions. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- The following requirements come mostly from [2], which discusses use ../data/rfc/rfc2977.txt- of brokers in the particular case of authorization for roaming dial- ../data/rfc/rfc2977.txt- up users. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- - allowing management of trust with external domains by way of ../data/rfc/rfc2977.txt- brokered AAA. ../data/rfc/rfc2977.txt: - accounting reliability. Accounting data that traverses the ../data/rfc/rfc2977.txt: Internet may suffer substantial packet loss. Since accounting ../data/rfc/rfc2977.txt- packets may traverse one or more intermediate authorization points ../data/rfc/rfc2977.txt- (e.g., brokers), retransmission is needed from intermediate points ../data/rfc/rfc2977.txt- to avoid long end-to-end delays. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- -- ../data/rfc/rfc2977.txt- [2] for more information on the individual attacks): ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- + Message editing ../data/rfc/rfc2977.txt- + Attribute editing ../data/rfc/rfc2977.txt- + Theft of shared secrets ../data/rfc/rfc2977.txt: + Theft and modification of accounting data ../data/rfc/rfc2977.txt- + Replay attacks ../data/rfc/rfc2977.txt- + Connection hijacking ../data/rfc/rfc2977.txt: + Fraudulent accounting ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt- These are serious problems which cannot be allowed to persist in any ../data/rfc/rfc2977.txt- acceptable AAA protocol and infrastructure. ../data/rfc/rfc2977.txt- ../data/rfc/rfc2977.txt-7. Security Considerations -- ../data/rfc/rfc3579.txt- Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46 ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-1. Introduction ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- The Remote Authentication Dial In User Service (RADIUS) is an ../data/rfc/rfc3579.txt: authentication, authorization and accounting protocol used to control ../data/rfc/rfc3579.txt- network access. RADIUS authentication and authorization is specified ../data/rfc/rfc3579.txt: in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS ../data/rfc/rfc3579.txt- over IPv6 is specified in [RFC3162]. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- The Extensible Authentication Protocol (EAP), defined in [RFC2284], ../data/rfc/rfc3579.txt- is an authentication framework which supports multiple authentication ../data/rfc/rfc3579.txt- mechanisms. EAP may be used on dedicated links, switched circuits, -- ../data/rfc/rfc3579.txt- session, with the beginning of the session defined as the ../data/rfc/rfc3579.txt- point where service is first provided and the end of the ../data/rfc/rfc3579.txt- session defined as the point where service is ended. A ../data/rfc/rfc3579.txt- peer may have multiple sessions in parallel or series if ../data/rfc/rfc3579.txt- the NAS supports that, with each session generating a ../data/rfc/rfc3579.txt: separate start and stop accounting record. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-2. RADIUS Support for EAP ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- The Extensible Authentication Protocol (EAP), described in [RFC2284], ../data/rfc/rfc3579.txt- provides a standard mechanism for support of additional -- ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- Although having the NAS send the initial EAP-Request packet has ../data/rfc/rfc3579.txt- substantial advantages, this technique cannot be universally ../data/rfc/rfc3579.txt- employed. There are circumstances in which the peer identity is ../data/rfc/rfc3579.txt: already known (such as when authentication and accounting is handled ../data/rfc/rfc3579.txt- based on Called-Station-Id, Calling-Station-Id and/or ../data/rfc/rfc3579.txt- Originating-Line-Info), but where the appropriate EAP method may vary ../data/rfc/rfc3579.txt- based on that identity. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- Rather than sending an initial EAP-Request packet to the -- ../data/rfc/rfc3579.txt- in Access-Request packets, and either NAS-Identifier, NAS-IP-Address ../data/rfc/rfc3579.txt- or NAS-IPv6-Address attributes MUST be included. In order to permit ../data/rfc/rfc3579.txt- forwarding of the Access-Reply by EAP-unaware proxies, if a User-Name ../data/rfc/rfc3579.txt- attribute was included in an Access-Request, the RADIUS server MUST ../data/rfc/rfc3579.txt- include the User-Name attribute in subsequent Access-Accept packets. ../data/rfc/rfc3579.txt: Without the User-Name attribute, accounting and billing becomes ../data/rfc/rfc3579.txt- difficult to manage. The User-Name attribute within the Access- ../data/rfc/rfc3579.txt- Accept packet need not be the same as the User-Name attribute in the ../data/rfc/rfc3579.txt- Access-Request. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- -- ../data/rfc/rfc3579.txt-3.3. Table of Attributes ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- The following table provides a guide to which attributes may be found ../data/rfc/rfc3579.txt- in packets including EAP-Message attribute(s), and in what quantity. ../data/rfc/rfc3579.txt- The EAP-Message and Message-Authenticator attributes specified in ../data/rfc/rfc3579.txt: this document MUST NOT be present in an Accounting-Request. If a ../data/rfc/rfc3579.txt- table entry is omitted, the values found in [RFC2548], [RFC2865], ../data/rfc/rfc3579.txt- [RFC2868], [RFC2869] and [RFC3162] should be assumed. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-Request Accept Reject Challenge # Attribute ../data/rfc/rfc3579.txt-0-1 0-1 0 0 1 User-Name -- ../data/rfc/rfc3579.txt- used to provide per-packet confidentiality, authentication, integrity ../data/rfc/rfc3579.txt- and replay protection. IKE SHOULD be used for key management. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- Within RADIUS [RFC2865], a shared secret is used for hiding of ../data/rfc/rfc3579.txt- attributes such as User-Password, as well as in computation of the ../data/rfc/rfc3579.txt: Response Authenticator. In RADIUS accounting [RFC2866], the shared ../data/rfc/rfc3579.txt- secret is used in computation of both the Request Authenticator and ../data/rfc/rfc3579.txt- the Response Authenticator. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- Since in RADIUS a shared secret is used to provide confidentiality as ../data/rfc/rfc3579.txt- well as integrity protection and authentication, only use of IPsec -- ../data/rfc/rfc3579.txt- from which it can glean peer location information, or which it can ../data/rfc/rfc3579.txt- subject to a known plaintext or offline dictionary attack. To ../data/rfc/rfc3579.txt- address these vulnerabilities, implementations of this specification ../data/rfc/rfc3579.txt- SHOULD use IPsec ESP with non-null transform and per-packet ../data/rfc/rfc3579.txt- encryption, authentication, integrity and replay protection to ../data/rfc/rfc3579.txt: protect both RADIUS authentication [RFC2865] and accounting [RFC2866] ../data/rfc/rfc3579.txt- traffic, as described in Section 4.2. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-4.3.2. Spoofing and Hijacking ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- Access-Request packets with a User-Password attribute establish the -- ../data/rfc/rfc3579.txt- Request Authenticator. However, the Request Authenticator is not a ../data/rfc/rfc3579.txt- replay counter. Since RADIUS servers may not maintain a cache of ../data/rfc/rfc3579.txt- previous Request Authenticators, the Request Authenticator does not ../data/rfc/rfc3579.txt- provide replay protection. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: RADIUS accounting [RFC2866] does not support replay protection at the ../data/rfc/rfc3579.txt- protocol level. Due to the need to support failover between RADIUS ../data/rfc/rfc3579.txt: accounting servers, protocol-based replay protection is not ../data/rfc/rfc3579.txt: sufficient to prevent duplicate accounting records. However, once ../data/rfc/rfc3579.txt: accepted by the accounting server, duplicate accounting records can ../data/rfc/rfc3579.txt- be detected by use of the the Acct-Session-Id [RFC2866, section 5.5] ../data/rfc/rfc3579.txt- and Event-Timestamp [RFC2869, section 5.3] attributes. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: Unlike RADIUS authentication, RADIUS accounting does not use the ../data/rfc/rfc3579.txt- Request Authenticator as a nonce. Instead, the Request Authenticator ../data/rfc/rfc3579.txt- contains an MD5 hash calculated over the Code, Identifier, Length, ../data/rfc/rfc3579.txt: and request attributes of the Accounting Request packet, plus the ../data/rfc/rfc3579.txt- shared secret. The Response Authenticator also contains an MD5 hash ../data/rfc/rfc3579.txt- calculated over the Code, Identifier and Length, the Request ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-Aboba & Calhoun Informational [Page 25] ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-RFC 3579 RADIUS & EAP September 2003 ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: Authenticator field from the Accounting-Request packet being replied ../data/rfc/rfc3579.txt- to, the response attributes and the shared secret. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: Since the Accounting Response Authenticator depends in part on the ../data/rfc/rfc3579.txt: Accounting Request Authenticator, it is not possible to replay an ../data/rfc/rfc3579.txt: Accounting-Response unless the Request Authenticator repeats. While ../data/rfc/rfc3579.txt- it is possible to utilize EAP methods such as EAP TLS [RFC2716] which ../data/rfc/rfc3579.txt- include liveness checks on both sides, not all EAP messages will ../data/rfc/rfc3579.txt- include liveness so that this provides incomplete protection. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: Strong replay protection for RADIUS authentication and accounting can ../data/rfc/rfc3579.txt- be provided by enabling IPsec replay protection with RADIUS, as ../data/rfc/rfc3579.txt- described in Section 4.2. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt-4.3.6. Negotiation Attacks ../data/rfc/rfc3579.txt- -- ../data/rfc/rfc3579.txt- 1999. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- [RFC2716] Aboba, B. and D. Simon,"PPP EAP TLS Authentication ../data/rfc/rfc3579.txt- Protocol", RFC 2716, October 1999. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt: [RFC2867] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting ../data/rfc/rfc3579.txt- Modifications for Tunnel Protocol Support", RFC 2867, ../data/rfc/rfc3579.txt- June 2000. ../data/rfc/rfc3579.txt- ../data/rfc/rfc3579.txt- [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., ../data/rfc/rfc3579.txt- Holdrege, M. and I. Goyret, "RADIUS Attributes for -- ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- 3. Host-Host Protocol -- long range study ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- 4. Host-Host Protocol -- Short term maintenance and modifications ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt: 5. Accounting ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- 6. Logger Protocol ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- 7. Typewriter connection protocol ../data/rfc/rfc101.txt- -- ../data/rfc/rfc101.txt- 1. Improving the current network ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- 2. Working on a 316 version of the IMP and as a Terminal Interface ../data/rfc/rfc101.txt- Processor (TIMP) ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt: 3. Accounting ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt-Watson [Page 5] -- ../data/rfc/rfc101.txt- raised and G. Grossman of University of Illinois indicated he would ../data/rfc/rfc101.txt- start a dialog on the subject by producing an RFC. ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- The question of user names and the meaning of user IDs in socket ../data/rfc/rfc101.txt- numbers was raised. At present socket numbers have no structure, but ../data/rfc/rfc101.txt: several people felt that for accounting, file transfer, and ../data/rfc/rfc101.txt- interprocess communication some structure was probably valuable. A ../data/rfc/rfc101.txt- committee consisting of: ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- J. Heafner, RAND (chairman) ../data/rfc/rfc101.txt- -- ../data/rfc/rfc101.txt- link numbers for use in measurements experiments with the network. ../data/rfc/rfc101.txt- Link number 223 was assigned to this function. (Link 223 was later ../data/rfc/rfc101.txt- discovered to be assigned. Link 191 was chosen instead. See RFC ../data/rfc/rfc101.txt- #104, NIC (5768,). ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt: The problem of accounting was raised as a number of machine or ../data/rfc/rfc101.txt- systems on the network will provide service functions. The present ../data/rfc/rfc101.txt- service facilities being the 360/91 at UCLA, the 360/75 at UCSB, the ../data/rfc/rfc101.txt- NIC at SRI, Multics at MIT, the ILLIAC IV, the 360/67 at Lincoln Lab, ../data/rfc/rfc101.txt- and the Data Machine. The advanced Host-Host protocol study ../data/rfc/rfc101.txt: committee is looking at the accounting problem. There was brief ../data/rfc/rfc101.txt- mention made of a network banking system. Bob Kahn of BBN indicated ../data/rfc/rfc101.txt: that he would start a dialog on the subject of accounting by ../data/rfc/rfc101.txt- producing a paper putting down the issues as he sees them. ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- The question was then raised about handling of administrative ../data/rfc/rfc101.txt: procedures such as obtaining accounting numbers on foreign systems. ../data/rfc/rfc101.txt- Dick Watson said he would look into this problem and see how the NIC ../data/rfc/rfc101.txt- can help in its solution. ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- ../data/rfc/rfc101.txt- -- ../data/rfc/rfc6765.txt- +---------------+---------------------------------------------------+ ../data/rfc/rfc6765.txt- | ifSpeed | Operating data rate for the BCE. For the GBS, it | ../data/rfc/rfc6765.txt- | | is the sum of the current operating data rates of | ../data/rfc/rfc6765.txt- | | all BCEs in the aggregation group, without the | ../data/rfc/rfc6765.txt- | | encapsulation overhead and G.Bond overhead, but | ../data/rfc/rfc6765.txt: | | accounting for Inter-Frame Gaps (IFG). When a | ../data/rfc/rfc6765.txt- | | GBS or a BCE is operating in an asymmetrical | ../data/rfc/rfc6765.txt- | | fashion (the upstream data rate differs from the | ../data/rfc/rfc6765.txt- | | downstream one), the lowest of the values is | ../data/rfc/rfc6765.txt- | | shown. | ../data/rfc/rfc6765.txt- +---------------+---------------------------------------------------+ -- ../data/rfc/rfc2699.txt-sufficient detail in RPSL so that low level router configurations can be ../data/rfc/rfc2699.txt-generated from them. RPSL is extensible; new routing protocols and new ../data/rfc/rfc2699.txt-protocol features can be introduced at any time. [STANDARDS-TRACK] ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt:2621 Zorn Jun 1999 RADIUS Accounting Server MIB ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt:This memo defines a set of extensions which instrument RADIUS accounting ../data/rfc/rfc2699.txt-server functions. This memo provides information for the Internet ../data/rfc/rfc2699.txt-community. ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt:2620 Aboba Jun 1999 RADIUS Accounting Client MIB ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt:This memo defines a set of extensions which instrument RADIUS accounting ../data/rfc/rfc2699.txt-client functions. This memo provides information for the Internet ../data/rfc/rfc2699.txt-community. ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt- ../data/rfc/rfc2699.txt-2619 Zorn Jun 1999 RADIUS Authentication Server MIB -- ../data/rfc/rfc2764.txt- Private dial networks are used to allow remote users to connect into ../data/rfc/rfc2764.txt- an enterprise network using PSTN or Integrated Services Digital ../data/rfc/rfc2764.txt- Network (ISDN) links. Typically, this is done through the deployment ../data/rfc/rfc2764.txt- of Network Access Servers (NASs) at one or more central sites. Users ../data/rfc/rfc2764.txt- dial into such NASs, which interact with Authentication, ../data/rfc/rfc2764.txt: Authorization, and Accounting (AAA) servers to verify the identity of ../data/rfc/rfc2764.txt- the user, and the set of services that the user is authorized to ../data/rfc/rfc2764.txt- receive. ../data/rfc/rfc2764.txt- ../data/rfc/rfc2764.txt- In recent times, as more businesses have found the need for high ../data/rfc/rfc2764.txt- speed Internet connections to their private corporate networks, there -- ../data/rfc/rfc2194.txt- Connection management ../data/rfc/rfc2194.txt- Authentication ../data/rfc/rfc2194.txt- NAS Configuration/Authorization ../data/rfc/rfc2194.txt- Address assignment and routing ../data/rfc/rfc2194.txt- Security ../data/rfc/rfc2194.txt: Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- In this document we review existing roaming implementations, ../data/rfc/rfc2194.txt- describing their functionality within this framework. In addition to ../data/rfc/rfc2194.txt- full fledged roaming implementations, we will also review ../data/rfc/rfc2194.txt- implementations that, while not meeting the strict definition of -- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- shared use network ../data/rfc/rfc2194.txt- This is an IP dialup network whose use is shared by two or ../data/rfc/rfc2194.txt- more organizations. Shared use networks typically implement ../data/rfc/rfc2194.txt: distributed authentication and accounting in order to ../data/rfc/rfc2194.txt- facilitate the relationship among the sharing parties. Since ../data/rfc/rfc2194.txt- these facilities are also required for implementation of ../data/rfc/rfc2194.txt- roaming, implementation of shared use is frequently a first ../data/rfc/rfc2194.txt- step toward development of roaming capabilities. In fact, one ../data/rfc/rfc2194.txt- of the ways by which a provider may offer roaming service is -- ../data/rfc/rfc2194.txt- between the authentication servers became a problem. In August. 1996, ../data/rfc/rfc2194.txt- AimQuest began development of the AimTraveler Routing Server (ARS) in ../data/rfc/rfc2194.txt- order to improve scalability. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The routing server is comprised of two elements: The Central ../data/rfc/rfc2194.txt: Accounting Server and the Central Routing Server. The Central ../data/rfc/rfc2194.txt: Accounting Server collects all the roaming accounting data for ../data/rfc/rfc2194.txt- settlement. The Central Routing Server manages and maintains ../data/rfc/rfc2194.txt- information on the authentication servers in the roaming consortium. ../data/rfc/rfc2194.txt- Adding, deleting, or updating ISP authentication server information ../data/rfc/rfc2194.txt- (e.g. adding a new member ISP) may be accomplished by editing of a ../data/rfc/rfc2194.txt- configuration file on the Central Routing Server. The configuration -- ../data/rfc/rfc2194.txt- servers, improving speed for repeated queries. The cache is sustained ../data/rfc/rfc2194.txt- until a routing server table entry is updated or deleted. Updating ../data/rfc/rfc2194.txt- or deleting results in a message to all neighbor routing servers to ../data/rfc/rfc2194.txt- delete their caches. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: The local authentication server also receives the accounting data ../data/rfc/rfc2194.txt- from the NAS. If the data is for a regular customer login, the data ../data/rfc/rfc2194.txt- is written to the Local ISP AAS log file. If the data is for a ../data/rfc/rfc2194.txt- "roamer," the data is written to three places: the Local ISP AAS log ../data/rfc/rfc2194.txt- file, the Home ISP AAS log file, and the ARS log file. ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc2194.txt- authorized ISP's domain name, authentication servers and other ../data/rfc/rfc2194.txt- information. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The AimTraveler currently supports RADIUS and TACACS+, and could be ../data/rfc/rfc2194.txt- extended to support other authentication protocols. It also receives ../data/rfc/rfc2194.txt: all the accounting records, which are subsequently used as input data ../data/rfc/rfc2194.txt- for billing. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- Since ISPs' NAS devices may be configured differently, the attributes ../data/rfc/rfc2194.txt- returned by the home ISP AAS are discarded. ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc2194.txt- The user's password is hashed with MD5 before being sent from the ../data/rfc/rfc2194.txt- Local ISP AAS to the Home ISP AAS. An encryption key is shared ../data/rfc/rfc2194.txt- between the AAS and ARS. The current version of AimTraveler AAS does ../data/rfc/rfc2194.txt- not support token cards or tunneling protocols. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:4.10. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The AimTraveler Authentication Server (AAS) software can act as ../data/rfc/rfc2194.txt: either a RADIUS or TACACS+ accounting server. When accounting ../data/rfc/rfc2194.txt- information is received from the NAS, the local AimTraveler ../data/rfc/rfc2194.txt: Authentication Server (AAS) sends accounting data (user name, domain ../data/rfc/rfc2194.txt: name, login time) to both the Central Accounting Server (part of the ../data/rfc/rfc2194.txt- ARS) and the user's Home ISP AimTraveler authentication server. In ../data/rfc/rfc2194.txt: the case of GRIC, the Central Accounting Server is run by AimQuest. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: The data sent to the central accounting server and home ISP are ../data/rfc/rfc2194.txt- identical except for the form of user id and time stamp. For a ../data/rfc/rfc2194.txt- traveler whose home ISP is in the US, but who is traveling in Japan, ../data/rfc/rfc2194.txt- the Local (Japanese) ISP AimTraveler authentication server will ../data/rfc/rfc2194.txt: receive an accounting record timestamped with Japan time while the ../data/rfc/rfc2194.txt- Home (US) ISP AimTraveler authentication server will receive an ../data/rfc/rfc2194.txt: accounting record timestamped with the appropriate US timezone. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: The accounting data includes 2 new attributes for settlement ../data/rfc/rfc2194.txt- reporting: ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- Attribute Number Type ../data/rfc/rfc2194.txt- --------- ------ ---- ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc2194.txt- and London. More information on i-Pass can be obtained from ../data/rfc/rfc2194.txt- http://www.ipass.com. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The i-Pass network consists of a number of servers that provide ../data/rfc/rfc2194.txt- real-time authentication services to partner ISPs. Authentication ../data/rfc/rfc2194.txt: requests and accounting records for roaming users are encrypted and ../data/rfc/rfc2194.txt- sent to an i-Pass serverwhere they are logged, and then forwarded to ../data/rfc/rfc2194.txt- a home ISP for authentication and/or logging. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Periodically, i-Pass reconciles all accounting records, generates ../data/rfc/rfc2194.txt- billing statements, and acts as a single point for collecting and ../data/rfc/rfc2194.txt- remitting payments. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- i-Pass provides its service only to ISPs and channel partners. It ../data/rfc/rfc2194.txt- does not attempt to establish a business relationship with -- ../data/rfc/rfc2194.txt- ISPs may chooe to provide authentication for their end-users roaming ../data/rfc/rfc2194.txt- elsewhere, but not to provide access points to the i-Pass network. ../data/rfc/rfc2194.txt- In this case the software integration effort is greatly reduced and ../data/rfc/rfc2194.txt- can be as little as 1/2 a man-day. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:5.5. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Accounting transactions are handled in the same way as authentication ../data/rfc/rfc2194.txt- requests. In addition to being logged at the i-Pass servers, ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-Aboba, et. al. Informational [Page 11] ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-RFC 2194 Review of Roaming Implementations September 1997 ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: accounting transactions are sent in real-time to the home ISP. This ../data/rfc/rfc2194.txt- is intended to allow ISPs to update users' credit limit information ../data/rfc/rfc2194.txt- on a real-time basis (to the extent that this capability is supported ../data/rfc/rfc2194.txt: by their billing and accounting systems). ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- Settlement is performed monthly. The settlement process involves ../data/rfc/rfc2194.txt- calculating the costs associated with each individual session, and ../data/rfc/rfc2194.txt- aggregating them for each ISP. A net amount is then calculated which ../data/rfc/rfc2194.txt- is either due from i-Pass to the ISP, or from the ISP to i-Pass, -- ../data/rfc/rfc2194.txt-Aboba, et. al. Informational [Page 14] ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-RFC 2194 Review of Roaming Implementations September 1997 ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:6.6. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Accounting information is transferred between the local RADIUS ../data/rfc/rfc2194.txt: accounting proxy/server and home RADIUS accounting server. Every day ../data/rfc/rfc2194.txt: each node sends a summary accounting information record to a central ../data/rfc/rfc2194.txt- server in order to support nationwide settlement. The central server ../data/rfc/rfc2194.txt- is run by the central Data Communication Bureau of China Telecom. ../data/rfc/rfc2194.txt- Every month the central server sends the settlement bill to the ../data/rfc/rfc2194.txt- provincial ISPs. ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc2194.txt-Aboba, et. al. Informational [Page 22] ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-RFC 2194 Review of Roaming Implementations September 1997 ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:7.11. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: In the MSN roaming implementation, the accounting data exchange ../data/rfc/rfc2194.txt: process is specified in terms of an accounting record format, and a ../data/rfc/rfc2194.txt- method by which the records are transferred from the partners to MSN, ../data/rfc/rfc2194.txt- which acts as the settlement agent. Defining the interaction in ../data/rfc/rfc2194.txt- terms of record formats and transfer protocols implies that the ../data/rfc/rfc2194.txt- partners do not communicate with the settlement agent using NAS ../data/rfc/rfc2194.txt: accounting protocols. As a result, accounting protocol ../data/rfc/rfc2194.txt- interoperability is not be required. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- However, for this advantage to be fully realized, it is necessary for ../data/rfc/rfc2194.txt: the accounting record format to be extensible. This makes it more ../data/rfc/rfc2194.txt- likely that the format can be adapted for use with the wide variety ../data/rfc/rfc2194.txt: of accounting protocols in current use (such as SNMP, syslog, RADIUS, ../data/rfc/rfc2194.txt- and TACACS+), as well as future protocols. After all, if the record ../data/rfc/rfc2194.txt- format cannot express the metrics provided by a particular partner's ../data/rfc/rfc2194.txt: accounting protocol, then the record format will not be of much ../data/rfc/rfc2194.txt- usefor a heterogeneous roaming consortium. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:7.11.1. Accounting record format ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The Microsoft RADIUS proxy/server supports the ability to customize ../data/rfc/rfc2194.txt: the accounting record format, and it is expected that some ISPs will ../data/rfc/rfc2194.txt- make use of this capability. However for those who want to use it ../data/rfc/rfc2194.txt: "off the shelf" a default accounting record format is provided. The ../data/rfc/rfc2194.txt: accounting record includes information provided by RADIUS: ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- User Name (String; the user's ID, including prefix or suffix) ../data/rfc/rfc2194.txt- NAS IP address (Integer; the IP address of the user's NAS) ../data/rfc/rfc2194.txt- NAS Port (Integer; identifies the physical port on the NAS) ../data/rfc/rfc2194.txt- Service Type (Integer; identifies the service provided to the user) ../data/rfc/rfc2194.txt- NAS Identifier (Integer; unique identifier for the NAS) ../data/rfc/rfc2194.txt- Status Type (Integer; indicates session start and stop, ../data/rfc/rfc2194.txt: as well as accounting on and off) ../data/rfc/rfc2194.txt- Delay Time (Integer; time client has been trying to send) ../data/rfc/rfc2194.txt- Input Octets (Integer; in stop record, octets received from port) ../data/rfc/rfc2194.txt- Output Octets (Integer; in stop record, octets sent to port) ../data/rfc/rfc2194.txt- Session ID (Integer; unique ID linking start and stop records) ../data/rfc/rfc2194.txt- Authentication (Integer; indicates how user was authenticated) -- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- However, since this default format is not extensible, it cannot ../data/rfc/rfc2194.txt- easily be adapted to protocols other than RADIUS, services other than ../data/rfc/rfc2194.txt- dialup (i.e. dedicated connections) or rated events (i.e. file ../data/rfc/rfc2194.txt- downloads). This is a serious limitation, and as a result, customers ../data/rfc/rfc2194.txt: have requested a more general accounting record format. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-7.11.2. Transfer mechanism ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Prior to being transferred, the accounting records are compressed so ../data/rfc/rfc2194.txt: as to save bandwidth. The transfer of accounting records is handled ../data/rfc/rfc2194.txt- via FTP, with the transfer being initiated by the receiving party, ../data/rfc/rfc2194.txt- rather than by the sending party. A duplicate set of records is kept ../data/rfc/rfc2194.txt- by the local ISP for verification purposes. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-8. Merit Network Implementation -- ../data/rfc/rfc2194.txt- qualified domain name. Users accessing the shared dial-in service ../data/rfc/rfc2194.txt- identify themselves by using a MichNet AccessID which consists of ../data/rfc/rfc2194.txt- their local id concatenated with "@" followed by the realm-name - ../data/rfc/rfc2194.txt- e.g. user@realm ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Merit operates a set of Authentication, Authorization and Accounting ../data/rfc/rfc2194.txt- (AAA) servers supporting the RADIUS protocol which are called core ../data/rfc/rfc2194.txt- servers. The core servers support all the dial-in service sites and ../data/rfc/rfc2194.txt- act as proxy servers to other AAA servers running at the ../data/rfc/rfc2194.txt- participating organizations. For security reasons, Merit staff run ../data/rfc/rfc2194.txt- all core servers; in particular, the user password is in the clear -- ../data/rfc/rfc2194.txt-8.1.2. MichNet National and International Dial-In Services ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- In addition to the MichNet shared dial-in service, Merit also ../data/rfc/rfc2194.txt- provides access from locations outside of Michigan by interconnecting ../data/rfc/rfc2194.txt- with other dial-in services. These services are typically billed by ../data/rfc/rfc2194.txt: connect time. Merit acts as the accounting agent between its member ../data/rfc/rfc2194.txt- and affiliate organizations and the outside service provider. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The services currently supported are a national 800 number and ../data/rfc/rfc2194.txt- service via the ADP/Autonet dial-in network. Connection with ../data/rfc/rfc2194.txt- IBM/Advantis is being tested, and several other service interconnects ../data/rfc/rfc2194.txt- are being investigated. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- Calls placed by a Merit member/affiliate user to these external ../data/rfc/rfc2194.txt- dial-in services are authenticated by having each of those services ../data/rfc/rfc2194.txt: forward RADIUS authentication requests and accounting messages to a ../data/rfc/rfc2194.txt- Merit proxy core server. The core forwards the requests to the ../data/rfc/rfc2194.txt- member/affiliate server for approval. Session records are logged at ../data/rfc/rfc2194.txt- the Merit core server and at the member/affiliate erver. Merit bills ../data/rfc/rfc2194.txt: members/affiliates monthly, based on processing of the accounting ../data/rfc/rfc2194.txt- logs. The members and affiliates are responsible for rebilling their ../data/rfc/rfc2194.txt- users. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- The Merit AAA software supports the ability to request positive ../data/rfc/rfc2194.txt- confirmation of acceptance of charges, and provides tools for -- ../data/rfc/rfc2194.txt- institutions have control in defining authorization rules. Currently ../data/rfc/rfc2194.txt- authorization may be done using any combination of the user's group ../data/rfc/rfc2194.txt- status and user's account status. A set of programming interfaces is ../data/rfc/rfc2194.txt- also provided for incorporating new authorization policies. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:8.3. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- In the Merit AAA server, a session is defined as starting from the ../data/rfc/rfc2194.txt- moment the user connects to the NAS, and ending at the point when the ../data/rfc/rfc2194.txt- user disconnects. During the course of a session, both the core ../data/rfc/rfc2194.txt- server and the home server maintain status information about the -- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- available tokens, or to limit number of simultaneous sessions for a ../data/rfc/rfc2194.txt- given AccessID. Information such as whether the session is for a ../data/rfc/rfc2194.txt- guest, whether it used a token, and other information is included ../data/rfc/rfc2194.txt: with the accounting stop information when it is logged. Merit has ../data/rfc/rfc2194.txt- made enhancements to the RADIUS protocol, that are local to the AAA ../data/rfc/rfc2194.txt- server, to support maintenance of session status information. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- When a user session is successfully authenticated, the NAS sends out ../data/rfc/rfc2194.txt: a RADIUS accounting start request to the core server. The core server ../data/rfc/rfc2194.txt- forwards that request to the user's home server. The home server ../data/rfc/rfc2194.txt- updates the status of the session and then responds to the core. The ../data/rfc/rfc2194.txt: core server in turn responds to the NAS. In the accounting Start ../data/rfc/rfc2194.txt- request, a NAS conforming to the RADIUS specification must return the ../data/rfc/rfc2194.txt- Class attribute and value it received in the Access-Accept for the ../data/rfc/rfc2194.txt- session, thus sending back the dial-in session identifier created by ../data/rfc/rfc2194.txt- the session's home server. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: When a user ends a session, an accounting stop request is sent ../data/rfc/rfc2194.txt- through the same path. the same path. The dial-in session ../data/rfc/rfc2194.txt- identifier is again returned by the NAS, providing a means of ../data/rfc/rfc2194.txt- uniquely identifying a session. By configuring the finite state ../data/rfc/rfc2194.txt: machine in each of the AAA servers, any accounting requests may be ../data/rfc/rfc2194.txt: logged by any of the servers where the accounting requests are ../data/rfc/rfc2194.txt- received. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- Because the same session logs are available on every server in the ../data/rfc/rfc2194.txt: path of a session's authorization and accounting message, problems ../data/rfc/rfc2194.txt- with reconciliation of specific sessions may be resolved easily. For ../data/rfc/rfc2194.txt- the shared dial-in service, there are no usage charges. Merit has ../data/rfc/rfc2194.txt- tools to verify that organizations do not authorize more guest ../data/rfc/rfc2194.txt- sessions than the number of SATs allocated to the organization. For ../data/rfc/rfc2194.txt- surcharged sessions, Merit sends each organization a summary bill -- ../data/rfc/rfc2194.txt- between systems. Such authenticated sessions are particularly ../data/rfc/rfc2194.txt- important between the local, regional and zone coordinators who ../data/rfc/rfc2194.txt- handle preparation and transmission of the Nodediffs. A single shared ../data/rfc/rfc2194.txt- secret is used per system. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt:9.6. Accounting ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: Within FidoNet, the need for accounting arises primarily from the ../data/rfc/rfc2194.txt- need of local, regional and zone coordinators to be reimbursed for ../data/rfc/rfc2194.txt- their expenses. In order to support this, utilities have been ../data/rfc/rfc2194.txt- developed to account for network usage at the system level according ../data/rfc/rfc2194.txt: to various metrics. However, the accounting techniques are not ../data/rfc/rfc2194.txt- applied at the user level. Distributed authentication and acounting ../data/rfc/rfc2194.txt- are not implemented and therefore users may not roam between systems. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt-10. Acknowledgements ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- [9] Rigney, C., Rubens, A., Simpson, W., and S. Willens, "Remote ../data/rfc/rfc2194.txt- Authentication Dial In User Service (RADIUS)", RFC 2058, Livingston, ../data/rfc/rfc2194.txt- Merit, Daydreamer, January 1997. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt: [10] Rigney, C., "RADIUS Accounting", RFC 2059, Livingston, January ../data/rfc/rfc2194.txt- 1997. ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- ../data/rfc/rfc2194.txt- -- ../data/rfc/rfc5067.txt- PLMN, provided that an access point of some type to the destination ../data/rfc/rfc5067.txt- service provider's network is available on the Internet. There is ../data/rfc/rfc5067.txt- also no guarantee that the originating service provider querying ../data/rfc/rfc5067.txt- infrastructure ENUM is able to access the ingress network element of ../data/rfc/rfc5067.txt- the destination provider's network. Additional peering and ../data/rfc/rfc5067.txt: accounting agreements requiring authentication may be necessary. The ../data/rfc/rfc5067.txt- access provided may also be to a shared network of a group of ../data/rfc/rfc5067.txt- providers, resolving the final destination network within the shared ../data/rfc/rfc5067.txt- network. ../data/rfc/rfc5067.txt- ../data/rfc/rfc5067.txt- -- ../data/rfc/rfc5931.txt- ../data/rfc/rfc5931.txt-RFC 5931 EAP Password August 2010 ../data/rfc/rfc5931.txt- ../data/rfc/rfc5931.txt- ../data/rfc/rfc5931.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc5931.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc5931.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc5931.txt- ../data/rfc/rfc5931.txt- [RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman ../data/rfc/rfc5931.txt- Groups for Use with IETF Standards", RFC 5114, ../data/rfc/rfc5931.txt- January 2008. -- ../data/rfc/rfc6155.txt- an authenticated and authorized third-party requestor, it can treat ../data/rfc/rfc6155.txt- this request as a location configuration request. ../data/rfc/rfc6155.txt- ../data/rfc/rfc6155.txt- After receiving a location request that includes an NAI, the LIS ../data/rfc/rfc6155.txt- sends a "Location-Requestor-Authentication-Protocol" access request ../data/rfc/rfc6155.txt: message to the Authentication, Authorization, and Accounting (AAA) ../data/rfc/rfc6155.txt- server. This request includes an "MS-Identity-Assertion" parameter ../data/rfc/rfc6155.txt- containing the NAI. ../data/rfc/rfc6155.txt- ../data/rfc/rfc6155.txt- The AAA server consults network policy, and if the request is ../data/rfc/rfc6155.txt- permitted, the response includes the IP address that is currently -- ../data/rfc/rfc2501.txt- both bidirectional and unidirectional links. ../data/rfc/rfc2501.txt- ../data/rfc/rfc2501.txt- 2) Bandwidth-constrained, variable capacity links: Wireless links ../data/rfc/rfc2501.txt- will continue to have significantly lower capacity than their ../data/rfc/rfc2501.txt- hardwired counterparts. In addition, the realized throughput of ../data/rfc/rfc2501.txt: wireless communications--after accounting for the effects of ../data/rfc/rfc2501.txt- multiple access, fading, noise, and interference conditions, ../data/rfc/rfc2501.txt- etc.--is often much less than a radio's maximum transmission rate. ../data/rfc/rfc2501.txt- ../data/rfc/rfc2501.txt- One effect of the relatively low to moderate link capacities is ../data/rfc/rfc2501.txt- that congestion is typically the norm rather than the exception, -- ../data/rfc/rfc2501.txt- ../data/rfc/rfc2501.txt- 3) Topological rate of change--the speed with which a network's ../data/rfc/rfc2501.txt- topology is changing ../data/rfc/rfc2501.txt- ../data/rfc/rfc2501.txt- 4) Link capacity--effective link speed measured in bits/second, ../data/rfc/rfc2501.txt: after accounting for losses due to multiple access, coding, ../data/rfc/rfc2501.txt- framing, etc. ../data/rfc/rfc2501.txt- ../data/rfc/rfc2501.txt- 5) Fraction of unidirectional links--how effectively does a ../data/rfc/rfc2501.txt- protocol perform as a function of the presence of unidirectional ../data/rfc/rfc2501.txt- links? -- ../data/rfc/rfc5058.txt- ../data/rfc/rfc5058.txt- - Destination unawareness: When a multicast packet arrives in a ../data/rfc/rfc5058.txt- router, the router can determine the next hops for the packet, ../data/rfc/rfc5058.txt- but knows nothing about the ultimate destinations of the packet, ../data/rfc/rfc5058.txt- nor about how many times the packet will be duplicated later on ../data/rfc/rfc5058.txt: in the network. This complicates the security, accounting and ../data/rfc/rfc5058.txt- policy functions. ../data/rfc/rfc5058.txt- ../data/rfc/rfc5058.txt- In addition to the Host Group model, a routing algorithm is required ../data/rfc/rfc5058.txt- to maintain the member state and the delivery tree. This can be done ../data/rfc/rfc5058.txt- using a (truncated) broadcast algorithm or a multicast algorithm -- ../data/rfc/rfc5058.txt- implementations, this is on a polling basis, yielding a slower ../data/rfc/rfc5058.txt- reaction to, e.g., link failures. It may also take some time for ../data/rfc/rfc5058.txt- traditional IP multicast routing protocols to fix things up if ../data/rfc/rfc5058.txt- there is a large number of groups that need to be fixed. ../data/rfc/rfc5058.txt- ../data/rfc/rfc5058.txt: 7) Easy security and accounting. In contrast with the Host Group ../data/rfc/rfc5058.txt- Model, in Xcast all the sources know the members of the multicast ../data/rfc/rfc5058.txt- channel, which gives the sources the means to, e.g., reject ../data/rfc/rfc5058.txt- certain members or count the traffic going to certain members ../data/rfc/rfc5058.txt- quite easily. Not only a source, but also a border router is able ../data/rfc/rfc5058.txt- to determine how many times a packet will be duplicated in its -- ../data/rfc/rfc5975.txt- obey the rule that over all time periods, the amount of data sent ../data/rfc/rfc5975.txt- cannot exceed MPS+min[pT, rT+b-MPS], where r and b are the token ../data/rfc/rfc5975.txt- bucket parameters, MPS is the maximum packet size, and T is the ../data/rfc/rfc5975.txt- length of the time period (note that when p is infinite, this reduces ../data/rfc/rfc5975.txt- to the standard token bucket requirement). For the purposes of this ../data/rfc/rfc5975.txt: accounting, links MUST count packets that are smaller than the ../data/rfc/rfc5975.txt- minimum policing unit as being of size m. Packets that arrive at an ../data/rfc/rfc5975.txt- element and cause a violation of the MPS + min[pT, rT+b-MPS] bound ../data/rfc/rfc5975.txt- are considered non-conformant. ../data/rfc/rfc5975.txt- ../data/rfc/rfc5975.txt- All 5 of the sub-parameters MUST be included in the TMOD parameter. -- ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt-5. Abuse Prevention and Incident Handling ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- Since the eduroam service is a confederation of autonomous networks, ../data/rfc/rfc7593.txt: there is little justification for transferring accounting information ../data/rfc/rfc7593.txt- from the Service Provider to any other (in general) or to the ../data/rfc/rfc7593.txt: Identity Provider of the user (in particular). Accounting in eduroam ../data/rfc/rfc7593.txt- is therefore considered to be a local matter of the Service Provider. ../data/rfc/rfc7593.txt- The eduroam compliance statement [eduroam-compliance] in fact ../data/rfc/rfc7593.txt: specifies that accounting traffic [RFC5280] SHOULD NOT be forwarded. ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- The static routing infrastructure of eduroam acts as a filtering ../data/rfc/rfc7593.txt: system blocking accounting traffic from misconfigured local RADIUS ../data/rfc/rfc7593.txt: servers. Proxy servers are configured to terminate accounting ../data/rfc/rfc7593.txt: request traffic by answering to Accounting-Requests with an ../data/rfc/rfc7593.txt: Accounting-Response in order to prevent the retransmission of ../data/rfc/rfc7593.txt: orphaned Accounting-Request messages. With dynamic discovery, ../data/rfc/rfc7593.txt- Identity Providers that are discoverable via DNS will need to apply ../data/rfc/rfc7593.txt- these filtering measures themselves. This is an increase in ../data/rfc/rfc7593.txt- complexity of the Identity Provider RADIUS configuration. ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- Roaming creates accountability problems, as identified by [RFC4372] -- ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt-5.3. Chargeable User Identity ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- The Chargeable-User-Identity (CUI) attribute is defined by RFC 4372 ../data/rfc/rfc7593.txt: [RFC4372] as an answer to accounting problems caused by the use of ../data/rfc/rfc7593.txt- anonymous identity in some EAP methods. In eduroam, the primary use ../data/rfc/rfc7593.txt- of CUI is in incident handling, but it can also enhance local ../data/rfc/rfc7593.txt: accounting. ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- The eduroam policy requires that a given user's CUI generated for ../data/rfc/rfc7593.txt- requests originating from different sites should be different (to ../data/rfc/rfc7593.txt- prevent collusion attacks). The eduroam policy thus mandates that a ../data/rfc/rfc7593.txt- CUI request be accompanied by the Operator-Name attribute, which is -- ../data/rfc/rfc7593.txt- implementations; therefore, the only solution was moving all CUI ../data/rfc/rfc7593.txt- support to the RADIUS server. ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- CUI request generation requires only the addition of NUL CUI ../data/rfc/rfc7593.txt- attributes to outgoing Access-Requests; however, the real strength of ../data/rfc/rfc7593.txt: CUI comes with accounting. Implementation of CUI-based accounting in ../data/rfc/rfc7593.txt: the server requires that the authentication and accounting RADIUS ../data/rfc/rfc7593.txt- servers used directly by the NAS are actually the same or at least ../data/rfc/rfc7593.txt- have access to a common source of information. Upon processing of an ../data/rfc/rfc7593.txt- Access-Accept, the authenticating RADIUS server must store the ../data/rfc/rfc7593.txt- received CUI value together with the device's Calling-Station-Id in a ../data/rfc/rfc7593.txt: temporary database. Upon receipt of an Accounting-Request, the ../data/rfc/rfc7593.txt- server needs to update the packet with the CUI value read from the ../data/rfc/rfc7593.txt- database. ../data/rfc/rfc7593.txt- ../data/rfc/rfc7593.txt- A wide introduction of CUI support in eduroam will significantly ../data/rfc/rfc7593.txt- simplify incident handling at Service Providers. Introducing local, -- ../data/rfc/rfc923.txt- 1-149 Unassigned [JBP] ../data/rfc/rfc923.txt- 150 Xerox NS IDP [109,LLG] ../data/rfc/rfc923.txt- 151 Unassigned [JBP] ../data/rfc/rfc923.txt- 152 PARC Universal Protocol [11,HGM] ../data/rfc/rfc923.txt- 153 TIP Status Reporting [JGH] ../data/rfc/rfc923.txt: 154 TIP Accounting [JGH] ../data/rfc/rfc923.txt- 155 Internet Protocol [regular] [33,77,JBP] ../data/rfc/rfc923.txt- 156-158 Internet Protocol [experimental] [33,77,JBP] ../data/rfc/rfc923.txt- 159 Figleaf Link [JBW1] ../data/rfc/rfc923.txt- 160-195 Unassigned [JBP] ../data/rfc/rfc923.txt- 196-247 Experimental Protocols [JBP] -- ../data/rfc/rfc750.txt- 1 1 Reserved ../data/rfc/rfc750.txt- 2-71 2-107 AHHP Regular Messages [1,3] ../data/rfc/rfc750.txt- 72-151 110-227 Reserved ../data/rfc/rfc750.txt- 152 230 PARC Universal Protocol ../data/rfc/rfc750.txt- 153 231 TIP Status Reporting ../data/rfc/rfc750.txt: 154 232 TIP Accounting ../data/rfc/rfc750.txt- 155-158 233-236 Internet Protocol [35,36,42,43,44] ../data/rfc/rfc750.txt- 159-191 237-277 Measurements [28] ../data/rfc/rfc750.txt- 192-195 300-303 Message Switching Protocol [4,5] ../data/rfc/rfc750.txt- 196-255 304-377 Experimental Protocols ../data/rfc/rfc750.txt- 224-255 340-377 NVP [1,39] -- ../data/rfc/rfc7927.txt- ../data/rfc/rfc7927.txt- infrastructure networks, development of management tools and ../data/rfc/rfc7927.txt- mechanisms must go hand in hand with the rest of the architecture ../data/rfc/rfc7927.txt- design. ../data/rfc/rfc7927.txt- ../data/rfc/rfc7927.txt: Although defining an FCAPS (Fault, Configuration, Accounting, ../data/rfc/rfc7927.txt- Performance, and Security) [ISOIEC-7498-4] management model for ICN ../data/rfc/rfc7927.txt- is clearly outside the scope of this document, there is a need for ../data/rfc/rfc7927.txt- creating basic tools early on while ICN is still in the design and ../data/rfc/rfc7927.txt- experimentation phases that can evolve over time and help network ../data/rfc/rfc7927.txt- operations centers (NOCs) to define policies, validate that they are ../data/rfc/rfc7927.txt- indeed used in practice, be notified early on about failures, and ../data/rfc/rfc7927.txt- determine and resolve configuration problems. Authentication, ../data/rfc/rfc7927.txt: Authorization, and Accounting (AAA) as well as performance ../data/rfc/rfc7927.txt- management, from a NOC perspective, will also need to be considered. ../data/rfc/rfc7927.txt- Given the expectations for a large number of nodes and unprecedented ../data/rfc/rfc7927.txt- traffic volumes, automating tasks or even better employing self- ../data/rfc/rfc7927.txt- management mechanisms are preferred. The main challenge here is that ../data/rfc/rfc7927.txt- all tools we have at our disposal today are node-centric, are end-to- -- ../data/rfc/rfc5472.txt-Table of Contents ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- 1. Introduction ....................................................4 ../data/rfc/rfc5472.txt- 1.1. Terminology ................................................4 ../data/rfc/rfc5472.txt- 2. Applications of IPFIX ...........................................4 ../data/rfc/rfc5472.txt: 2.1. Accounting .................................................4 ../data/rfc/rfc5472.txt- 2.1.1. Example .............................................5 ../data/rfc/rfc5472.txt- 2.2. Traffic Profiling ..........................................7 ../data/rfc/rfc5472.txt- 2.3. Traffic Engineering ........................................8 ../data/rfc/rfc5472.txt- 2.4. Network Security ...........................................9 ../data/rfc/rfc5472.txt- 2.5. QoS Monitoring ............................................11 -- ../data/rfc/rfc5472.txt- used as basis for the design of the IPFIX protocol. This section ../data/rfc/rfc5472.txt- describes how these target applications can use the IPFIX protocol. ../data/rfc/rfc5472.txt- Considerations for using IPFIX for other applications than those ../data/rfc/rfc5472.txt- described in [RFC3917] can be found in Section 4.1. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt:2.1. Accounting ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: Usage-based accounting is one of the target applications for IPFIX as ../data/rfc/rfc5472.txt- defined in [RFC3917]. IPFIX records provide fine-grained measurement ../data/rfc/rfc5472.txt- results for highly flexible and detailed usage reporting. Such data ../data/rfc/rfc5472.txt: is used to realize usage-based accounting. Nevertheless, IPFIX does ../data/rfc/rfc5472.txt- not provide the reliability required by usage-based billing systems ../data/rfc/rfc5472.txt: as defined in [RFC2975] (see Section 4.2). The accounting scenarios ../data/rfc/rfc5472.txt- described in this document only provide limited reliability as ../data/rfc/rfc5472.txt- explained in Section 4.2 and should not be used in environments where ../data/rfc/rfc5472.txt- reliability as demanded by [RFC2975] is mandatory. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: In order to realize usage-based accounting with IPFIX, the Flow ../data/rfc/rfc5472.txt: definition has to be chosen in accordance to the accounting purpose, ../data/rfc/rfc5472.txt- such as trend analysis, capacity planning, auditing, or billing and ../data/rfc/rfc5472.txt- cost allocation where some loss of data can be tolerated (see Section ../data/rfc/rfc5472.txt- 4.2). ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- -- ../data/rfc/rfc5472.txt-RFC 5472 IPFIX Applicability March 2009 ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- Flows can be distinguished by various IEs (e.g., packet header ../data/rfc/rfc5472.txt- fields) from [RFC5102]. Due to the flexible IPFIX Flow definition, ../data/rfc/rfc5472.txt: arbitrary Flow-based accounting models can be realized without ../data/rfc/rfc5472.txt- extensions to the IPFIX protocol. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: Accounting can, for instance, be based on individual end-to-end ../data/rfc/rfc5472.txt- Flows. In this case, it can be realized with a Flow definition ../data/rfc/rfc5472.txt- determined by the quintuple consisting of source address ../data/rfc/rfc5472.txt- (sourceIPv4Address), destination address (destinationIPv4Address), ../data/rfc/rfc5472.txt- protocol (protocolIdentifier), and port numbers (udpSourcePort, ../data/rfc/rfc5472.txt: udpDestinationPort). Another example is class-dependent accounting ../data/rfc/rfc5472.txt- (e.g., in a Diffserv network). In this case, Flows could be ../data/rfc/rfc5472.txt- distinguished just by the Diffserv codepoint (DSCP) ../data/rfc/rfc5472.txt- (ipDiffServCodePoint) and IP addresses (sourceIPv4Address, ../data/rfc/rfc5472.txt- destinationIPv4Address). The essential elements needed for ../data/rfc/rfc5472.txt: accounting are the number of transferred packets and bytes per Flow, ../data/rfc/rfc5472.txt- which can be represented by the per-flow counter IEs (e.g., ../data/rfc/rfc5472.txt- packetTotalCount, octetTotalCount). ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: For accounting purposes, it would be advantageous to have the ability ../data/rfc/rfc5472.txt: to use IPFIX Flow Records as accounting input in an Authentication, ../data/rfc/rfc5472.txt: Authorization, and Accounting (AAA) infrastructure. AAA servers then ../data/rfc/rfc5472.txt- could provide the mapping between user and Flow information. Again ../data/rfc/rfc5472.txt- for such scenarios the limited reliability currently provided by ../data/rfc/rfc5472.txt- IPFIX has to be taken into account. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt-2.1.1. Example -- ../data/rfc/rfc5472.txt- required for the target applications described in [RFC3917] ../data/rfc/rfc5472.txt- (M-mandatory, R-recommended, O-optional). ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- | Application | [RFC5102] | [RFC5477] | additional IEs | ../data/rfc/rfc5472.txt- +-------------+------------+--------------+-----------------+ ../data/rfc/rfc5472.txt: | Accounting | M | - | - | ../data/rfc/rfc5472.txt- +-------------+------------+--------------+-----------------+ ../data/rfc/rfc5472.txt- | Traffic | M | O | - | ../data/rfc/rfc5472.txt- | Profiling | | | | ../data/rfc/rfc5472.txt- +-------------+------------+--------------+-----------------+ ../data/rfc/rfc5472.txt- | Traffic | M | - | O | -- ../data/rfc/rfc5472.txt- +-------------+------------+--------------+-----------------+ ../data/rfc/rfc5472.txt- | QoS | M | M | O | ../data/rfc/rfc5472.txt- | Monitoring | |(most metrics)|(derived metrics)| ../data/rfc/rfc5472.txt- +-------------+------------+--------------+-----------------+ ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: For accounting, the IEs in [RFC5102] are sufficient. As mentioned ../data/rfc/rfc5472.txt- above, IPFIX does not conform to the reliability requirements ../data/rfc/rfc5472.txt- demanded by [RFC2975] for usage-based billing systems (see Section ../data/rfc/rfc5472.txt- 4.2). For traffic profiling, additional IEs from [RFC5477] can be ../data/rfc/rfc5472.txt- useful to gain more insight into the traffic. For traffic ../data/rfc/rfc5472.txt- engineering, Flow information from [RFC5102] is sufficient, but it -- ../data/rfc/rfc5472.txt- (see Sections 2.5 and 2.7 for details and references). ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt-3.5. IPFIX and AAA ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- AAA defines a protocol and architecture for authentication, ../data/rfc/rfc5472.txt: authorization, and accounting for service usage [RFC2903]. The ../data/rfc/rfc5472.txt- DIAMETER protocol [RFC3588] is used for AAA communication, which is ../data/rfc/rfc5472.txt- needed for network access services (Mobile IP, NASREQ, and ROAMOPS). ../data/rfc/rfc5472.txt- The AAA architecture [RFC2903] provides a framework for extending AAA ../data/rfc/rfc5472.txt- support to other services. DIAMETER defines the exchange of messages ../data/rfc/rfc5472.txt- between AAA entities, e.g., between AAA clients at access devices and ../data/rfc/rfc5472.txt- AAA servers, and among AAA servers. DIAMETER is used for the ../data/rfc/rfc5472.txt: transfer of accounting records. In order to form accounting records ../data/rfc/rfc5472.txt: for usage-based accounting measurement, data from the network is ../data/rfc/rfc5472.txt- required. IPFIX defines a protocol to export such data from routers, ../data/rfc/rfc5472.txt- measurement probes, and other devices. Therefore, it looks promising ../data/rfc/rfc5472.txt- to connect those two architectures. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- For all scenarios described here, one has to keep in mind that IPFIX ../data/rfc/rfc5472.txt- does not conform to the reliability requirements for usage-based ../data/rfc/rfc5472.txt- billing described in [RFC2975] (see Section 4.2). Using IPFIX ../data/rfc/rfc5472.txt- without reliability extensions together with AAA would result in ../data/rfc/rfc5472.txt: accounting scenarios that do not conform to usage-based billing ../data/rfc/rfc5472.txt- requirements described in [RFC2975]. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: As shown in Section 2.1, accounting applications can directly ../data/rfc/rfc5472.txt- incorporate an IPFIX Collecting Process to receive IPFIX records with ../data/rfc/rfc5472.txt- information about the transmitted volume. Nevertheless, if a AAA ../data/rfc/rfc5472.txt- infrastructure is in place, the cooperation between IPFIX and AAA ../data/rfc/rfc5472.txt- provides many valuable synergistic benefits. IPFIX records can ../data/rfc/rfc5472.txt: provide the input for AAA accounting functions and provide the basis ../data/rfc/rfc5472.txt: for the generation of DIAMETER accounting records. However, as ../data/rfc/rfc5472.txt- stated in Section 4.2, the use of IPFIX as described in [RFC5101] is ../data/rfc/rfc5472.txt: currently limited to situations where the purpose of the accounting ../data/rfc/rfc5472.txt- does not require reliability. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- Further potential features include the mapping of a user ID to Flow ../data/rfc/rfc5472.txt- information (by using authentication information) or using the secure ../data/rfc/rfc5472.txt: authorized exchange of DIAMETER accounting records with neighbor ../data/rfc/rfc5472.txt- domains. The last feature is especially useful in roaming scenarios ../data/rfc/rfc5472.txt- where the user connects to a foreign network and the home provider ../data/rfc/rfc5472.txt- generates the invoice. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- -- ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt-3.5.1. Connecting via a AAA Client ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- One possibility of connecting IPFIX and AAA is to run a AAA client on ../data/rfc/rfc5472.txt: the IPFIX Collector. This client can generate DIAMETER accounting ../data/rfc/rfc5472.txt- messages and send them to a AAA server. The mapping of the Flow ../data/rfc/rfc5472.txt- information to a user ID can be done in the AAA server by using data ../data/rfc/rfc5472.txt: from the authentication process. DIAMETER accounting messages can be ../data/rfc/rfc5472.txt: sent to the accounting application or to other AAA servers (e.g., in ../data/rfc/rfc5472.txt- roaming scenarios). ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- +---------+ DIAMETER +---------+ ../data/rfc/rfc5472.txt- | AAA-S |------------->| AAA-S | ../data/rfc/rfc5472.txt- +---------+ +---------+ -- ../data/rfc/rfc5472.txt- between AAA server and service equipment. In this case, the IPFIX ../data/rfc/rfc5472.txt- Collector is part of the ASM. The ASM acts as an interface between ../data/rfc/rfc5472.txt- the IPFIX protocol and the input interface of the AAA server. The ../data/rfc/rfc5472.txt- ASM translates the received IPFIX data into an appropriate format for ../data/rfc/rfc5472.txt- the AAA server. The AAA server then can add information about the ../data/rfc/rfc5472.txt: user ID and generate a DIAMETER accounting record. This accounting ../data/rfc/rfc5472.txt: record can be sent to an accounting application or to other AAA ../data/rfc/rfc5472.txt- servers. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- +---------+ DIAMETER +---------+ ../data/rfc/rfc5472.txt- | AAA-S |------------->| AAA-S | ../data/rfc/rfc5472.txt- +---------+ +---------+ -- ../data/rfc/rfc5472.txt- applications. Application layer acknowledgements are necessary, ../data/rfc/rfc5472.txt- e.g., to inform the Exporter in case the application is not able to ../data/rfc/rfc5472.txt- process the data exported with IPFIX. Such acknowledgements are ../data/rfc/rfc5472.txt- not supported in IPFIX. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt: Further features like archival accounting and pre-authorization are ../data/rfc/rfc5472.txt- out of scope of the IPFIX specification but need to be realized in ../data/rfc/rfc5472.txt- billing system architectures as described in [RFC2975]. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt-4.3. Using a Different Transport Protocol than SCTP ../data/rfc/rfc5472.txt- -- ../data/rfc/rfc5472.txt- scenarios described in this document. To our current knowledge, the ../data/rfc/rfc5472.txt- usage scenarios proposed in Section 2 do not induce further security ../data/rfc/rfc5472.txt- hazards. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- The threat level to IPIFX itself may depend on the usage scenario of ../data/rfc/rfc5472.txt: IPFIX. The usage of IPFIX for accounting or attack detection may ../data/rfc/rfc5472.txt- increase the incentive to attack IPFIX itself. Nevertheless, ../data/rfc/rfc5472.txt- security considerations have to be taken into account in all ../data/rfc/rfc5472.txt- described scenarios. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- As described in the security considerations in [RFC5101], security -- ../data/rfc/rfc5472.txt- [RFC2903] de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., and ../data/rfc/rfc5472.txt- D. Spence, "Generic AAA Architecture", RFC 2903, August ../data/rfc/rfc5472.txt- 2000. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to ../data/rfc/rfc5472.txt: Accounting Management", RFC 2975, October 2000. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- [RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec, ../data/rfc/rfc5472.txt- J., Courtney, W., Davari, S., Firoiu, V., and D. ../data/rfc/rfc5472.txt- Stiliadis, "An Expedited Forwarding PHB (Per-Hop ../data/rfc/rfc5472.txt- Behavior)", RFC 3246, March 2002. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, September ../data/rfc/rfc5472.txt- 2002. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- [RFC3334] Zseby, T., Zander, S., and C. Carle, "Policy-Based ../data/rfc/rfc5472.txt: Accounting", RFC 3334, October 2002. ../data/rfc/rfc5472.txt- ../data/rfc/rfc5472.txt- [RFC3393] Demichelis, C. and P. Chimento, "IP Packet Delay Variation ../data/rfc/rfc5472.txt- Metric for IP Performance Metrics (IPPM)", RFC 3393, ../data/rfc/rfc5472.txt- November 2002. ../data/rfc/rfc5472.txt- -- ../data/rfc/rfc1549.txt- during inter-frame time fill. There is no provision for inter- ../data/rfc/rfc1549.txt- octet time fill. ../data/rfc/rfc1549.txt- ../data/rfc/rfc1549.txt- Mark idle (continuous ones) SHOULD NOT be used for inter-frame ../data/rfc/rfc1549.txt- ill. However, certain types of circuit-switched links require the ../data/rfc/rfc1549.txt: use of mark idle, particularly those that calculate accounting ../data/rfc/rfc1549.txt- based on periods of bit activity. When mark idle is used on a ../data/rfc/rfc1549.txt- bit-synchronous link, the implementation MUST ensure at least 15 ../data/rfc/rfc1549.txt- consecutive "1" bits between Flags during the idle period, and ../data/rfc/rfc1549.txt- that the Flag Sequence is always generated at the beginning of a ../data/rfc/rfc1549.txt- frame after an idle period. -- ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- The following acronyms are used in this document; see the references ../data/rfc/rfc6630.txt- for more details. ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- AAA ../data/rfc/rfc6630.txt: Authentication, Authorization, and Accounting [RFC3588] ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- CAP ../data/rfc/rfc6630.txt- Candidate Attachment Point [RFC5836] ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- DSRK -- ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- ../data/rfc/rfc6630.txt- 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, ../data/rfc/rfc6630.txt: Authorization, and Accounting (AAA) Key Management", ../data/rfc/rfc6630.txt- BCP 132, RFC 4962, July 2007. ../data/rfc/rfc6630.txt- ../data/rfc/rfc6630.txt- [RFC5836] Ohba, Y., Wu, Q., and G. Zorn, "Extensible Authentication ../data/rfc/rfc6630.txt- Protocol (EAP) Early Authentication Problem Statement", ../data/rfc/rfc6630.txt- RFC 5836, April 2010. -- ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt-RFC 5661 NFSv4.1 January 2010 ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o A new request, in which the sequence ID is one greater than that ../data/rfc/rfc5661.txt: previously seen in the slot (accounting for sequence wraparound). ../data/rfc/rfc5661.txt- The replier proceeds to execute the new request, and the replier ../data/rfc/rfc5661.txt- MUST increase the slot's sequence ID by one. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o A retransmitted request, in which the sequence ID is equal to that ../data/rfc/rfc5661.txt- currently recorded in the slot. If the original request has ../data/rfc/rfc5661.txt- executed to completion, the replier returns the cached reply. See ../data/rfc/rfc5661.txt- Section 2.10.6.2 for direction on how the replier deals with ../data/rfc/rfc5661.txt- retries of requests that are still in progress. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o A misordered retry, in which the sequence ID is less than ../data/rfc/rfc5661.txt: (accounting for sequence wraparound) that previously seen in the ../data/rfc/rfc5661.txt- slot. The replier MUST return NFS4ERR_SEQ_MISORDERED (as the ../data/rfc/rfc5661.txt- result from SEQUENCE or CB_SEQUENCE). ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o A misordered new request, in which the sequence ID is two or more ../data/rfc/rfc5661.txt: than (accounting for sequence wraparound) that previously seen in ../data/rfc/rfc5661.txt- the slot. Note that because the sequence ID MUST wrap around to ../data/rfc/rfc5661.txt- zero once it reaches 0xFFFFFFFF, a misordered new request and a ../data/rfc/rfc5661.txt- misordered retry cannot be distinguished. Thus, the replier MUST ../data/rfc/rfc5661.txt- return NFS4ERR_SEQ_MISORDERED (as the result from SEQUENCE or ../data/rfc/rfc5661.txt- CB_SEQUENCE). -- ../data/rfc/rfc5661.txt- With delegations, a client is able to avoid writing data to the ../data/rfc/rfc5661.txt- server when the CLOSE of a file is serviced. The file close system ../data/rfc/rfc5661.txt- call is the usual point at which the client is notified of a lack of ../data/rfc/rfc5661.txt- stable storage for the modified file data generated by the ../data/rfc/rfc5661.txt- application. At the close, file data is written to the server and, ../data/rfc/rfc5661.txt: through normal accounting, the server is able to determine if the ../data/rfc/rfc5661.txt- available file system space for the data has been exceeded (i.e., the ../data/rfc/rfc5661.txt: server returns NFS4ERR_NOSPC or NFS4ERR_DQUOT). This accounting ../data/rfc/rfc5661.txt- includes quotas. The introduction of delegations requires that an ../data/rfc/rfc5661.txt- alternative method be in place for the same type of communication to ../data/rfc/rfc5661.txt- occur between client and server. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- In the delegation response, the server provides either the limit of -- ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt-RFC 5661 NFSv4.1 January 2010 ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- support a VALID_SEQID_RANGE value larger than the minimum. The ../data/rfc/rfc5661.txt: maximum VALID_SEQID_RANGE is (2 ^ 32 - 2) (accounting for zero not ../data/rfc/rfc5661.txt- being a valid "seqid" value). ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- If the server finds the "seqid" is zero, the NFS4ERR_BAD_STATEID ../data/rfc/rfc5661.txt- error is returned to the client. The server further validates the ../data/rfc/rfc5661.txt- "seqid" to ensure it is within the range of parallelism, -- ../data/rfc/rfc5661.txt- o that between different named attribute directories or between a ../data/rfc/rfc5661.txt- named attribute directory and an ordinary directory. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o that between byte-ranges of a file system that the file system ../data/rfc/rfc5661.txt- implementation treats as separate (for example, for space ../data/rfc/rfc5661.txt: accounting purposes), and where cross-connection between the byte- ../data/rfc/rfc5661.txt- ranges are not allowed. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt-15.1.5. State Management Errors ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- These errors indicate problems with the stateid (or one of the -- ../data/rfc/rfc5661.txt- The server expects value of csa_sequenceid in the arguments to that ../data/rfc/rfc5661.txt- CREATE_SESSION to be to equal the value of the field eir_sequenceid ../data/rfc/rfc5661.txt- that was returned in results of the EXCHANGE_ID that returned the ../data/rfc/rfc5661.txt- unconfirmed client ID. Before the server replies to that EXCHANGE_ID ../data/rfc/rfc5661.txt- operation, it initializes the client ID slot to be equal to ../data/rfc/rfc5661.txt: eir_sequenceid - 1 (accounting for underflow), and records a ../data/rfc/rfc5661.txt- contrived CREATE_SESSION result with a "cached" result of ../data/rfc/rfc5661.txt- NFS4ERR_SEQ_MISORDERED. With the client ID slot thus initialized, ../data/rfc/rfc5661.txt- the processing of the CREATE_SESSION operation is divided into four ../data/rfc/rfc5661.txt- phases: ../data/rfc/rfc5661.txt- -- ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- 2. Sequence ID processing. If csa_sequenceid is equal to the ../data/rfc/rfc5661.txt- sequence ID in the client ID's slot, then this is a replay of the ../data/rfc/rfc5661.txt- previous CREATE_SESSION request, and the server returns the ../data/rfc/rfc5661.txt- cached result. If csa_sequenceid is not equal to the sequence ID ../data/rfc/rfc5661.txt: in the slot, and is more than one greater (accounting for ../data/rfc/rfc5661.txt- wraparound), then the server returns the error ../data/rfc/rfc5661.txt- NFS4ERR_SEQ_MISORDERED, and does not change the slot. If ../data/rfc/rfc5661.txt: csa_sequenceid is equal to the slot's sequence ID + 1 (accounting ../data/rfc/rfc5661.txt- for wraparound), then the slot's sequence ID is set to ../data/rfc/rfc5661.txt- csa_sequenceid, and the CREATE_SESSION processing goes to the ../data/rfc/rfc5661.txt- next phase. A subsequent new CREATE_SESSION call over the same ../data/rfc/rfc5661.txt- client ID MUST use a csa_sequenceid that is one greater than the ../data/rfc/rfc5661.txt- sequence ID in the slot. -- ../data/rfc/rfc5661.txt- The value of the sa_sequenceid argument relative to the cached ../data/rfc/rfc5661.txt- sequence ID on the slot falls into one of three cases. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o If the difference between sa_sequenceid and the server's cached ../data/rfc/rfc5661.txt- sequence ID at the slot ID is two (2) or more, or if sa_sequenceid ../data/rfc/rfc5661.txt: is less than the cached sequence ID (accounting for wraparound of ../data/rfc/rfc5661.txt- the unsigned sequence ID value), then the server MUST return ../data/rfc/rfc5661.txt- NFS4ERR_SEQ_MISORDERED. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o If sa_sequenceid and the cached sequence ID are the same, this is ../data/rfc/rfc5661.txt- a retry, and the server replies with what is recorded in the reply ../data/rfc/rfc5661.txt- cache. The lease is possibly renewed as described below. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt: o If sa_sequenceid is one greater (accounting for wraparound) than ../data/rfc/rfc5661.txt- the cached sequence ID, then this is a new request, and the slot's ../data/rfc/rfc5661.txt- sequence ID is incremented. The operations subsequent to ../data/rfc/rfc5661.txt- SEQUENCE, if any, are processed. If there are no other ../data/rfc/rfc5661.txt- operations, the only other effects are to cache the SEQUENCE reply ../data/rfc/rfc5661.txt- in the slot, maintain the session's activity, and possibly renew -- ../data/rfc/rfc5661.txt- void; ../data/rfc/rfc5661.txt- }; ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt-20.9.3. DESCRIPTION ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt: The CB_SEQUENCE operation is used to manage operational accounting ../data/rfc/rfc5661.txt- for the backchannel of the session on which a request is sent. The ../data/rfc/rfc5661.txt- contents include the session ID to which this request belongs, the ../data/rfc/rfc5661.txt- slot ID and sequence ID used by the server to implement session ../data/rfc/rfc5661.txt- request control and exactly once semantics, and exchanged slot ID ../data/rfc/rfc5661.txt- maxima that are used to adjust the size of the reply cache. In each -- ../data/rfc/rfc5661.txt- The value of the csa_sequenceid argument relative to the cached ../data/rfc/rfc5661.txt- sequence ID on the slot falls into one of three cases. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o If the difference between csa_sequenceid and the client's cached ../data/rfc/rfc5661.txt- sequence ID at the slot ID is two (2) or more, or if ../data/rfc/rfc5661.txt: csa_sequenceid is less than the cached sequence ID (accounting for ../data/rfc/rfc5661.txt- wraparound of the unsigned sequence ID value), then the client ../data/rfc/rfc5661.txt- MUST return NFS4ERR_SEQ_MISORDERED. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt- o If csa_sequenceid and the cached sequence ID are the same, this is ../data/rfc/rfc5661.txt- a retry, and the client returns the CB_COMPOUND request's cached ../data/rfc/rfc5661.txt- reply. ../data/rfc/rfc5661.txt- ../data/rfc/rfc5661.txt: o If csa_sequenceid is one greater (accounting for wraparound) than ../data/rfc/rfc5661.txt- the cached sequence ID, then this is a new request, and the slot's ../data/rfc/rfc5661.txt- sequence ID is incremented. The operations subsequent to ../data/rfc/rfc5661.txt- CB_SEQUENCE, if any, are processed. If there are no other ../data/rfc/rfc5661.txt- operations, the only other effects are to cache the CB_SEQUENCE ../data/rfc/rfc5661.txt- reply in the slot, maintain the session's activity, and when the -- ../data/rfc/rfc6909.txt-RFC 6909 IPv4 Traffic Offload Selector Option April 2013 ../data/rfc/rfc6909.txt- ../data/rfc/rfc6909.txt- ../data/rfc/rfc6909.txt- * The local mobility anchor can obtain the offload policy from ../data/rfc/rfc6909.txt- the local configuration store or from a network function such ../data/rfc/rfc6909.txt: as AAA (Authentication, Authorization, and Accounting) or PCRF ../data/rfc/rfc6909.txt- (Policy and Charging Rule Function). The offload policy has to ../data/rfc/rfc6909.txt- be translated to a set of selectors that can be used to match ../data/rfc/rfc6909.txt- the mobile node's IP flows, and these selectors have to be ../data/rfc/rfc6909.txt- carried in the Traffic Selector sub-option. The Traffic ../data/rfc/rfc6909.txt- Selector sub-option MUST be constructed as specified in Section -- ../data/rfc/rfc392.txt-Hicks & Wessler [Page 4] ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt-RFC 392 Measurement for Transmitting Network Data September 1972 ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt:Utah-10 Accounting for Network Usage ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt- for the period 16-SEP-72 12:48:34, ending 19-SEP-72 13:56:11 ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt- Clk Tim Cpu Tim # of Bytes Bits/sec us/bit Load ../data/rfc/rfc392.txt- -- ../data/rfc/rfc392.txt- 04:28 36.32 56362 s 1679.377 80.56 5.52 ../data/rfc/rfc392.txt- 02:12 17.71 27120 r 1634.818 81.62 1.73 ../data/rfc/rfc392.txt- 06:59 41.88 64333 s 1226.980 81.37 6.66 ../data/rfc/rfc392.txt- 37 7.63 12082 r 2552.243 78.97 0.64 ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt:Utah-10 Accounting for Network Usage ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt- for the period 13-SEP-72 2:23:12, ending 16-SEP-72 11:47:07 ../data/rfc/rfc392.txt- ../data/rfc/rfc392.txt- Clk Tim Cpu Tim # of Bytes Bits/sec us/bit Load ../data/rfc/rfc392.txt- -- ../data/rfc/rfc4029.txt- ../data/rfc/rfc4029.txt- "Network and service operation" ../data/rfc/rfc4029.txt- : This is the part of the ISP's network that hosts the ../data/rfc/rfc4029.txt- services required for the correct operation of the ../data/rfc/rfc4029.txt- ISP's network. These services usually include ../data/rfc/rfc4029.txt: management, supervision, accounting, billing, and ../data/rfc/rfc4029.txt- customer management applications. ../data/rfc/rfc4029.txt- ../data/rfc/rfc4029.txt- "Customer connection" ../data/rfc/rfc4029.txt- : This is the part of the network used by a customer ../data/rfc/rfc4029.txt- when connecting to an ISP's network. It includes the -- ../data/rfc/rfc4029.txt- ../data/rfc/rfc4029.txt- - Extend customer management (e.g., RADIUS) mechanisms to be ../data/rfc/rfc4029.txt- able to supply IPv6 prefixes and other information to ../data/rfc/rfc4029.txt- customers. ../data/rfc/rfc4029.txt- ../data/rfc/rfc4029.txt: - Enhance accounting, billing, and so on to work with IPv6 as ../data/rfc/rfc4029.txt- needed. (Note: If dual-stack service is offered, this may ../data/rfc/rfc4029.txt- not be necessary.) ../data/rfc/rfc4029.txt- ../data/rfc/rfc4029.txt- - Implement security for network and service operation. ../data/rfc/rfc4029.txt- -- ../data/rfc/rfc3810.txt- removed. The following points explain this decision. ../data/rfc/rfc3810.txt- ../data/rfc/rfc3810.txt- 1. Routers may want to track per-host multicast listener status on an ../data/rfc/rfc3810.txt- interface. This would allow routers to implement fast leaves ../data/rfc/rfc3810.txt- (e.g., for layered multicast congestion control schemes), as well ../data/rfc/rfc3810.txt: as track listener status for possible security or accounting ../data/rfc/rfc3810.txt- purposes. The present specification does not require routers to ../data/rfc/rfc3810.txt- implement per-host tracking. Nevertheless, the lack of host ../data/rfc/rfc3810.txt- suppression in MLDv2 makes possible to implement either ../data/rfc/rfc3810.txt- proprietary or future standard behavior of multicast routers that ../data/rfc/rfc3810.txt- would support per-host tracking, while being fully interoperable